Black Friday Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Questions and Answers

Questions 4

A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?

Options:

A.

Internal management review

B.

Control assessment

C.

Tabletop exercise

D.

Peer review

Buy Now
Questions 5

Which of the following solutions is the BEST method to prevent unauthorized use of an API?

Options:

A.

HTTPS

B.

Geofencing

C.

Rate liming

D.

Authentication

Buy Now
Questions 6

Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?

Options:

A.

Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access.

B.

Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.

C.

Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.

D.

Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.

Buy Now
Questions 7

While observing several host machines, a security analyst notices a program is overwriting data to a buffer. Which of the following controls will best mitigate this issue?

Options:

A.

Data execution prevention

B.

Output encoding

C.

Prepared statements

D.

Parameterized queries

Buy Now
Questions 8

A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation?

Options:

A.

Enforce the existing security standards and controls.

B.

Perform a risk analysis and qualify the risk with legal.

C.

Perform research and propose a better technology.

D.

Enforce the standard permits.

Buy Now
Questions 9

Given the Nmap request below:

Which of the following actions will an attacker be able to initiate directly against this host?

Options:

A.

Password sniffing

B.

ARP spoofing

C.

A brute-force attack

D.

An SQL injection

Buy Now
Questions 10

A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several hours. The administrator runs the task list

/ v command and receives the following output:

Which of the following should a security analyst recognize as an indicator of compromise?

Options:

A.

dwm.exe being executed under the user context

B.

The high usage of vscode. exe * 32

C.

The abnormal behavior of paint.exe

D.

svchost.exe being executed as SYSTEM

Buy Now
Questions 11

A new prototype for a company's flagship product was leaked on the internet As a result, the management team has locked out all USB drives Optical drive writers are not present on company computers The sales team has been granted an exception to share sales presentation files with third parties Which of the following would allow the IT team to determine which devices are USB enabled?

Options:

A.

Asset tagging

B.

Device encryption

C.

Data loss prevention

D.

SIEMIogs

Buy Now
Questions 12

A security analyst is reviewing malware files without running them. Which of the following analysis types is the security analyst using?

Options:

A.

Dynamic

B.

Sandbox

C.

Static

D.

Heuristic

Buy Now
Questions 13

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

Options:

A.

APTs' passion for social justice will make them ongoing and motivated attackers.

B.

APTs utilize methods and technologies differently than other threats

C.

APTs are primarily focused on financial gam and are widely available over the internet.

D.

APTs lack sophisticated methods, but their dedication makes them persistent.

Buy Now
Questions 14

A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop.

Which of the following processes will the security analyst Identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

Options:

A.

Chrome.exe

B.

Word.exe

C.

Explorer.exe

D.

mstsc.exe

E.

taskmgr.exe

Buy Now
Questions 15

An analyst is reviewing registry keys for signs of possible compromise. The analyst observes the following entries:

Which of the following entries should the analyst investigate first?

Options:

A.

IAStorIcon

B.

Quickset

C.

SecurityHeaIth

D.

calc

E.

Word

Buy Now
Questions 16

A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible TTP combinations might warrant further investigation? (Select TWO).

Options:

A.

Requests identified by a threat intelligence service with a bad reputation

B.

Requests sent from the same IP address using different user agents

C.

Requests blocked by the web server per the input sanitization

D.

Failed log-in attempts against the web application

E.

Requests sent by NICs with outdated firmware

F.

Existence of HTTP/501 status codes generated to the same IP address

Buy Now
Questions 17

A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

Which of the following is the BEST action for the security analyst to take after analyzing the trends?

Options:

A.

Review the system configurations to determine if port 445 needs to be open.

B.

Assume there are new instances of Apache in the environment.

C.

Investigate why the number of open SSH ports varied during the six months.

D.

Raise a concern to a supervisor regarding possible malicious use Of port 8443.

Buy Now
Questions 18

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

Options:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Buy Now
Questions 19

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

Options:

A.

Stack counting

B.

Searching

C.

Clustering

D.

Grouping

Buy Now
Questions 20

A small business does not have enough staff in the accounting department to segregate duties. The controller writes the checks for the business and reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control?

Options:

A.

Deterrent

B.

Preventive

C.

Compensating

D.

Detective

Buy Now
Questions 21

An organization has the following vulnerability remediation policies:

• For production environment servers:

• Vulnerabilities with a CVSS score of 9.0 or greater must be remediated within 48 hours.

• Vulnerabilities with a CVSS score of 5.0 to 8.9 must be remediated within 96 hours.

• Vulnerabilities in lower environments may be left unremediated for up to two weeks.

* All vulnerability remediations must be validated in a testing environment before they are applied in the production environment.

The organization has two environments: production and testing. The accountingProd server is the only server that contains highly sensitive information.

A recent vulnerability scan provided the following report:

Which of the following identifies the server that should be patched first? (Choose Two)

Options:

A.

timecardProd

B.

timecardTesl

C.

expense Prod

D.

expenseTest

E.

accountingProd

F.

accountingTest

G.

stagingTest

Buy Now
Questions 22

During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1 ,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy?

Options:

A.

$200

B.

$800

C.

$5,000

D.

$20,000

Buy Now
Questions 23

Which of the following, BEST explains the function of TPM?

Options:

A.

To provide hardware-based security features using unique keys

B.

To ensure platform confidentiality by storing security measurements

C.

To improve management of the OS installation.

D.

To implement encryption algorithms for hard drives

Buy Now
Questions 24

An organization is performing a risk assessment to prioritize resources for mitigation and remediation based on impact. Which of the following metrics, in addition to the CVSS for each CVE, would best enable the organization to prioritize its efforts?

Options:

A.

OS type

B.

OS or application versions

C.

Patch availability

D.

System architecture

E.

Mission criticality

Buy Now
Questions 25

A security analyst scans the company's external IP range and receives the following results from one of the hosts:

Which of the following best represents the security concern?

Options:

A.

A remote communications port is exposed.

B.

The FTP port should be using TCP only.

C.

Microsoft RDP is accepting connections on TCP.

D.

The company's DNS server is exposed to everyone.

Buy Now
Questions 26

A code review reveals a web application is using lime-based cookies for session management. This is a security concern because lime-based cookies are easy to:

Options:

A.

parameterize.

B.

decode.

C.

guess.

D.

decrypt.

Buy Now
Questions 27

A new variant of malware is spreading on the company network using TCP 443 to contact its command-and-control server The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

Options:

A.

Implement a sinkhole with a high entropy level

B.

Disable TCP/53 at the parameter firewall

C.

Block TCP/443 at the edge router

D.

Configure the DNS forwarders to use recursion

Buy Now
Questions 28

A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The Organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan?

Options:

A.

Make sure the scan is credentialed, covers at hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations.

B.

Make sure the scan is uncredentialed, covers at hosts in the patch management system, and Is scheduled during of business hours so it has the least impact on operations.

C.

Make sure the scan is credentialed, has the latest software and signature versions, covers all external hosts in the patch management system and is scheduled during off-business hours so it has the least impact on operations.

D.

Make sure the scan is credentialed, uses a ironed plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.

Buy Now
Questions 29

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

Options:

A.

Require users to sign NDAs

B.

Create a data minimization plan.

C.

Add access control requirements.

D.

Implement a data loss prevention solution.

Buy Now
Questions 30

Which of the following BEST describes HSM?

Options:

A.

A computing device that manages cryptography, decrypts traffic, and maintains library calls

B.

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

C.

A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions

D.

A computing device that manages algorithms, performs entropy functions, and maintains digital signatures

Buy Now
Questions 31

A manager asks a security analyst lo provide the web-browsing history of an employee. Which of the following should the analyst do first?

Options:

A.

Obtain permission to perform the search.

B.

Obtain the web-browsing history from the proxy.

C.

Obtain the employee's network ID to form the query.

D.

Download the browsing history, encrypt it. and hash it

Buy Now
Questions 32

A SIEM analyst receives an alert containing the following URL:

Which of the following BEST describes the attack?

Options:

A.

Password spraying

B.

Buffer overflow

C.

insecure object access

D.

Directory traversal

Buy Now
Questions 33

Which of the following activities is designed to handle a control

failure that leads to a breach?

Options:

A.

Risk assessment

B.

Incident management

C.

Root cause analysis

D.

Vulnerability management

Buy Now
Questions 34

A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

Options:

A.

Directory traversal

B.

SQL injection

C.

Buffer overflow

D.

Cross-site scripting

Buy Now
Questions 35

A computer hardware manufacturer developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?

Options:

A.

Encryption

B.

eFuse

C.

Secure Enclave

D.

Trusted execution

Buy Now
Questions 36

Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?

Options:

A.

Logging and monitoring are not needed in a public cloud environment

B.

Logging and monitoring are done by the data owners

C.

Logging and monitoring duties are specified in the SLA and contract

D.

Logging and monitoring are done by the service provider

Buy Now
Questions 37

A company wants to ensure a third party does not take intellectual property and build a competing product. Which of the following is a non-technical data and privacy control that would best protect the company?

Options:

A.

Data encryption

B.

A non-disclosure agreement

C.

Purpose limitation

D.

Digital rights management

Buy Now
Questions 38

Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?

Options:

A.

Remote code execution

B.

Buffer overflow

C.

Unauthenticated commands

D.

Certificate spoofing

Buy Now
Questions 39

A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:

$ sudo nc —1 —v —e maildaemon.py 25 > caplog.txt

Which of the following solutions did the analyst implement?

Options:

A.

Log correlation

B.

Crontab mail script

C.

Sinkhole

D.

Honeypot

Buy Now
Questions 40

As part of the senior leadership team's ongoing nsk management activities the Chief Information Security Officer has tasked a security analyst with coordinating the right training and testing methodology to respond to new business initiatives or significant changes to existing ones The management team wants to examine a new business process that would use existing infrastructure to process and store sensitive data Which of the following would be appropnate for the security analyst to coordinate?

Options:

A.

A black-box penetration testing engagement

B.

A tabletop exercise

C.

Threat modeling

D.

A business impact analysis

Buy Now
Questions 41

A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability scan was completed:

Which of the following options can the analyst conclude based on the provided output?

Options:

A.

The scanning vendor used robots to make the scanning job faster

B.

The scanning job was successfully completed, and no vulnerabilities were detected

C.

The scanning job did not successfully complete due to an out of scope error

D.

The scanner executed a crawl process to discover pages to be assessed

Buy Now
Questions 42

During a review of the vulnerability scan results on a server, an information security analyst notices the following:

The MOST appropriate action for the analyst to recommend to developers is to change the web server so:

Options:

A.

It only accepts TLSvl 2

B.

It only accepts cipher suites using AES and SHA

C.

It no longer accepts the vulnerable cipher suites

D.

SSL/TLS is offloaded to a WAF and load balancer

Buy Now
Questions 43

Which of the following can detect vulnerable third-parly libraries before code deployment?

Options:

A.

Impact analysis

B.

Dynamic analysis

C.

Static analysis

D.

Protocol analysis

Buy Now
Questions 44

During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:

• The development team used a new software language that was not supported by the security team's automated assessment tools.

• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.

• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)

Options:

A.

Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed

B.

Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically

C.

Contact the human resources department to hire new security team members who are already familiar with the new language

D.

Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems

E.

Instruct only the development team to document the remediation steps for this vulnerability

F.

Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider

Buy Now
Questions 45

An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to at the use of the cloud hosted hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability?

Options:

A.

Sandbox the virtual machine.

B.

Implement an MFA solution.

C.

Update lo the secure hypervisor version.

D.

Implement dedicated hardware for each customer.

Buy Now
Questions 46

A company uses an FTP server to support its critical business functions The FTP server is configured as follows:

• The FTP service is running with (he data duectory configured in /opt/ftp/data.

• The FTP server hosts employees' home aVectories in /home

• Employees may store sensitive information in their home directories

An loC revealed that an FTP director/ traversal attack resulted in sensitive data loss Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

Options:

A.

Implement file-level encryption of sensitive files

B.

Reconfigure the FTP server to support FTPS

C.

Run the FTP server n a chroot environment

D.

Upgrade the FTP server to the latest version

Buy Now
Questions 47

At which of the following phases of the SDLC shoukJ security FIRST be involved?

Options:

A.

Design

B.

Maintenance

C.

Implementation

D.

Analysis

E.

Planning

F.

Testing

Buy Now
Questions 48

An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?

Options:

A.

Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.

B.

Extract the server's system timeline, verifying hashes and network connections during a certain time frame.

C.

Clone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.

D.

Clone the server's hard disk and extract all the binary files, comparing hash signatures with malware databases.

Buy Now
Questions 49

An incident response team is responding to a breach of multiple systems that contain Pll and PHI Disclosure of the incident to external entities should be based on:

Options:

A.

the responder's discretion.

B.

the public relations policy.

C.

the communication plan.

D.

the senior management team's guidance.

Buy Now
Questions 50

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the first steps to confirm and respond to the incident? (Select two).

Options:

A.

Pause the virtual machine.

B.

Shut down the virtual machine.

C.

Take a snapshot of the virtual machine.

D.

Remove the NIC from the virtual machine.

E.

Review host hypervisor log of the virtual machine.

F.

Execute a migration of the virtual machine.

Buy Now
Questions 51

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

Options:

A.

Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C.

Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

Buy Now
Questions 52

Which of the following is the BEST way to gather patch information on a specific server?

Options:

A.

Event Viewer

B.

Custom script

C.

SCAP software

D.

CI/CD

Buy Now
Questions 53

Which of the following is an advantage of continuous monitoring as a way to help protect an enterprise?

Options:

A.

Continuous monitoring leverages open-source tools, thereby reducing cost to the organization.

B.

Continuous monitoring responds to active Intrusions without requiring human assistance.

C.

Continuous monitoring blocks malicious activity by connecting to real-lime threat feeds.

D.

Continuous monitoring uses automation to identify threats and alerts in real time

Buy Now
Questions 54

Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

Options:

A.

Security regression testing

B.

Code review

C.

User acceptance testing

D.

Stress testing

Buy Now
Questions 55

A small organization has proprietary software that is used internally. The system has not been wen maintained and cannot be updated with the rest or the environment. Which of the following is the BEST solution?

Options:

A.

virtualize the system and decommission the physical machine.

B.

Remove it from the network and require air gapping.

C.

Implement privileged access management for identity access.

D.

Implement MFA on the specific system.

Buy Now
Questions 56

An organization supports a large number of remote users. Which of the following is the best option to protect the data on the remote users' laptops?

Options:

A.

Require the use of VPNs.

B.

Require employees to sign an NDA.

C.

Implement a DLP solution.

D.

Use whole disk encryption.

Buy Now
Questions 57

Which of the following are the MOST likely reasons lo include reporting processes when updating an incident response plan after a breach? (Select TWO).

Options:

A.

To establish a clear chain of command

B.

To meet regulatory requirements for timely reporting

C.

To limit reputation damage caused by the breach

D.

To remediate vulnerabilities that led to the breach

E.

To isolate potential insider threats

F.

To provide secure network design changes

Buy Now
Questions 58

The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion An analyst was asked to submit sensitive network design details for review The forensic specialist recommended electronic delivery for efficiency but email was not an approved communication channel to send network details Which of the following BEST explains the importance of using a secure method of communication during incident response?

Options:

A.

To prevent adversaries from intercepting response and recovery details

B.

To ensure intellectual property remains on company servers

C.

To have a backup plan in case email access is disabled

D.

To ensure the management team has access to all the details that are being exchanged

Buy Now
Questions 59

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action?

Options:

A.

Automate the use of a hashing algorithm after verified users make changes to their data.

B.

Use encryption first and then hash the data at regular, defined times.

C.

Use a DLP product to monitor the data sets for unauthorized edits and changes.

D.

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Buy Now
Questions 60

Which of the following are the most likely reasons to include reporting processes when updating an incident response plan after a breach? (Select two).

Options:

A.

To use the SLA to determine when to deliver the report

B.

To meet regulatory requirements for timely reporting

C.

To limit reputation damage caused by the breach

D.

To remediate vulnerabilities that led to the breach

E.

To isolate potential insider threats

F.

To provide secure network design changes

Buy Now
Questions 61

A security team has begun updating the risk management plan incident response plan and system security plan to ensure compliance with secunty review guidelines Which of the (olowing can be executed by internal managers to simulate and validate the proposed changes'?

Options:

A.

Internal management review

B.

Control assessment

C.

Tabletop exercise

D.

Peer review

Buy Now
Questions 62

During an investigation, an analyst discovers the following rule in an executive's email client:

The executive is not aware of this rule. Which of the following should the analyst do first to evaluate the potential impact of this security incident?

Options:

A.

Check the server logs to evaluate which emails were sent to .

B.

Use the SIEM to correlate logging events from the email server and the domain server.

C.

Remove the rule from the email client and change the password.

D.

Recommend that the management team implement SPF and DKIM.

Buy Now
Questions 63

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

Options:

A.

Critical asset list

B.

Threat vector

C.

Attack profile

D.

Hypothesis

Buy Now
Questions 64

A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?

Options:

A.

Deploy an edge firewall.

B.

Implement DLP

C.

Deploy EDR.

D.

Encrypt the hard drives

Buy Now
Questions 65

Which of the following factors would determine the regulations placed on data under data sovereignty laws?

Options:

A.

What the company intends to do with the data it owns

B.

The company's data security policy

C.

The type of data the company stores

D.

The data laws of the country in which the company is located

Buy Now
Questions 66

Which of the following describes the difference between intentional and unintentional insider threats'?

Options:

A.

Their access levels will be different

B.

The risk factor will be the same

C.

Their behavior will be different

D.

The rate of occurrence will be the same

Buy Now
Questions 67

A security analyst works for a biotechnology lab that is planning to release details about a new cancer treatment. The analyst has been instructed to tune the SIEM softvare and IPS in preparation for the

announcement. For which of the following concerns will the analyst most likely be monitoring?

Options:

A.

Intellectual property loss

B.

PII loss

C.

Financial information loss

D.

PHI loss

Buy Now
Questions 68

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

Options:

A.

Configure the DLP transport rules to provide deep content analysis.

B.

Put employees' personal email accounts on the mail server on a blocklist.

C.

Set up IPS to scan for outbound emails containing names and contact information.

D.

Use Group Policy to prevent users from copying and pasting information into emails.

E.

Move outbound emails containing names and contact information to a sandbox for further examination.

Buy Now
Questions 69

A company has Detected a large number of tailed login attempts on its network A security analyst is investigating the network's activity logs to establish a pattern of behavior. Which of the following techniques should the analyst use to analyze the increase in failed login attempts?

Options:

A.

Evidence visualization

B.

Pattern matching

C.

Event correlation

D.

Network sniffing

Buy Now
Questions 70

Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which of the following identity and access management solutions would help to mitigate this risk?

Options:

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Buy Now
Questions 71

An organization is developing software to match customers' expectations. Before the software goes into production, it must meet the following quality assurance guidelines

• Uncover all the software vulnerabilities.

• Safeguard the interest of the software's end users.

• Reduce the likelihood that a defective program will enter production.

• Preserve the Interests of me software producer

Which of me following should be performed FIRST?

Options:

A.

Run source code against the latest OWASP vulnerabilities.

B.

Document the life-cycle changes that look place.

C.

Ensure verification and vacation took place during each phase.

D.

Store the source code in a s oftware escrow.

E.

Conduct a static analysis of the code.

Buy Now
Questions 72

A threat feed disclosed a list of files to be used as an loC for a zero-day vulnerability. A cybersecurity analyst decided to include a custom lookup for these files on the endpoint's log-in script as a mechanism to:

Options:

A.

automate malware signature creation.

B.

close the threat intelligence cycle loop.

C.

generate a STIX object for the TAXII server

D.

improve existing detection capabilities.

Buy Now
Questions 73

A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is compatia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task?

Options:

A.

Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.

B.

Add : XT @ "v=spfl mx include:_sp£.comptia.org -all" to the email server.

C.

Add TXT @ "v=spfl mx include:_sp£.comptia.org +all" to the domain controller.

D.

AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.

Buy Now
Questions 74

A company is building a new internal network. Instead of creating new credentials, the company wants to streamline each employee's authentication. Which of the following technologies would best fulfill this requirement?

Options:

A.

VPN

B.

SSO

C.

SAML

D.

MFA

Buy Now
Questions 75

A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity?

Options:

A.

Create an IPS rule to block the subnet.

B.

Sinkhole the IP address.

C.

Create a firewall rule to block the IP address.

D.

Close all unnecessary open ports.

Buy Now
Questions 76

A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed. Which of the following B€ST describes the result the security learn hopes to accomplish by adding these sources?

Options:

A.

Data enrichment

B.

Continuous integration

C.

Machine learning

D.

Workflow orchestration

Buy Now
Questions 77

A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:

Which of the following technologies would MOST likely be used to prevent this phishing attempt?

Options:

A.

DNSSEC

B.

DMARC

C.

STP

D.

S/IMAP

Buy Now
Questions 78

A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the best way to achieve this goal?

Options:

A.

Focus on incidents that have a high chance of reputation harm.

B.

Focus on common attack vectors first.

C.

Focus on incidents that affect critical systems.

D.

Focus on incidents that may require law enforcement support.

Buy Now
Questions 79

A new government regulation requires that organizations only retain the minimum amount of data on a person to perform the organization's necessary activities. Which of the following techniques would help an organization comply with this new regulation?

Options:

A.

Storing the highest-risk data in a separate and secured environment

B.

Limiting access to data on a need-to-know basis

C.

Deidentlfying a data subject throughout the organization's applications

D.

Having a privacy expert peer review source code before deployment

Buy Now
Questions 80

A security analyst recently observed evidence of an attack against a company's web server. The analyst investigated the issue but was unable to find an exploit that adequately explained the observations.

Which of the following is the MOST likely cause of this issue?

Options:

A.

The security analyst needs updated forensic analysis tools.

B.

The security analyst needs more training on threat hunting and research.

C.

The security analyst has potentially found a zero-day vulnerability that has been exploited.

D.

The security analyst has encountered a polymorphic piece of malware.

Buy Now
Questions 81

A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

Options:

A.

Manual validation

B.

Penetration testing

C.

A known-environment assessment

D.

Credentialed scanning

Buy Now
Questions 82

A security analyst reviews SIEM logs and discovers the following error event:

Which of the following environments does the analyst need to examine to continue troubleshooting the event?

Options:

A.

Proxy server

B.

SQL server

C.

Windows domain controller

D.

WAF appliance

E.

DNS server

Buy Now
Questions 83

Which of the following is the best reason why organizations need operational security controls?

Options:

A.

To supplement areas that other controls cannot address

B.

To limit physical access to areas that contain sensitive data

C.

To assess compliance automatically against a secure baseline

D.

To prevent disclosure by potential insider threats

Buy Now
Questions 84

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

Options:

A.

Develop a dashboard to track the indicators of compromise.

B.

Develop a query to search for the indicators of compromise.

C.

Develop a new signature to alert on the indicators of compromise.

D.

Develop a new signature to block the indicators of compromise.

Buy Now
Questions 85

An organization has the following risk mitigation policy:

Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.

All other prioritization will be based on risk value.

The organization has identified the following risks:

Which of the following is the order of priority for risk mitigation from highest to lowest?

Options:

A.

A, B, D, C

B.

A, B, C, D

C.

D, A, B, C

D.

D, A, C, B

Buy Now
Questions 86

An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by pubic users accessing the server. The results should be written to a text file and should induce the date. time, and IP address associated with any spreadsheet downloads. The web server's log file Is named webserver log, and the report We name should be accessreport.txt. Following is a sample of the web servefs.log file:

2017-0-12 21:01:12 GET /index.htlm - @4..102.33.7 - return=200 1622

Which of the following commands should be run if an analyst only wants to include entries in which spreadsheet was successfully downloaded?

Options:

A.

more webserver.log | grep * xIs > accessreport.txt

B.

more webserver.log > grep ''xIs > egrep -E 'success' > accessreport.txt

C.

more webserver.log | grep ' -E ''return=200 | accessreport.txt

D.

more webserver.log | grep -A *.xIs < accessreport.txt

Buy Now
Questions 87

During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following, should the analyst use to extract human-readable content from the partition?

Options:

A.

strings

B.

head

C.

fsstat

D.

dd

Buy Now
Questions 88

An analyst is coordinating with the management team and collecting several terabytes of data to analyze using advanced mathematical techniques in order to find patterns and correlations in events and activities. Which of the following describes what the analyst is doing?

Options:

A.

Data visualization

B.

SOAR

C.

Machine learning

D.

SCAP

Buy Now
Questions 89

A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

Options:

A.

Nessus

B.

Nikto

C.

Fuzzer

D.

Wireshark

E.

Prowler

Buy Now
Questions 90

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

Options:

A.

22

B.

80

C.

443

D.

1433

Buy Now
Questions 91

A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

Options:

A.

Implement UEM on an systems and deploy security software.

B.

Implement DLP on all workstations and block company data from being sent outside the company

C.

Implement a CASB and prevent certain types of data from being downloaded to a workstation

D.

Implement centralized monitoring and logging for an company systems.

Buy Now
Questions 92

An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Options:

A.

The human resources department

B.

Customers

C.

Company leadership

D.

The legal team

Buy Now
Questions 93

After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:

Which of the following it the BEST solution to mitigate this type of attack?

Options:

A.

Implement a better level of user input filters and content sanitization.

B.

Property configure XML handlers so they do not process sent parameters coming from user inputs.

C.

Use parameterized Queries to avoid user inputs horn being processed by the server.

D.

Escape user inputs using character encoding conjoined with whitelisting

Buy Now
Questions 94

An organization has the following risk mitigation policies

• Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000

• Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

Options:

A.

A, C, D, B

B.

B, C, D, A

C.

C, B, A, D

D.

C. D, A, B

E.

D, C, B, A

Buy Now
Questions 95

A security analyst is investigate an no client related to an alert from the threat detection platform on a host (10.0 1.25) in a staging environment that could be running a cryptomining tool because it in sending traffic to an IP address that are related to Bitcoin.

The network rules for the instance are the following:

Which of the following is the BEST way to isolate and triage the host?

Options:

A.

Remove rules 1.2. and 3.

B.

Remove rules 1.2. 4. and 5.

C.

Remove rules 1.2. 3.4. and 5.

D.

Remove rules 1.2. and 5.

E.

Remove rules 1.4. and 5.

F.

Remove rules 4 and 5

Buy Now
Questions 96

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?

Options:

A.

Generate hashes for each file from the hard drive.

B.

Create a chain of custody document.

C.

Determine a timeline of events using correct time synchronization.

D.

Keep the cloned hard drive in a safe place.

Buy Now
Questions 97

A company is required to monitor for unauthorized changes to baselines on all assets to comply with industry regulations. Two of the remote units did not recover after scans were performed on the assets. An analyst needs to recommend a solution to prevent recurrence. Which of the following is the best way to satisfy the regulatory requirement without impacting the availability to similar assets and creating an unsustainable process?

Options:

A.

Manually review the baselines daily and document the results in a change history log

B.

Document exceptions with compensating controls to demonstrate the risk mitigation efforts.

C.

Implement a new scanning technology to satisfy the monitoring requirement and train the team.

D.

Purchase new remote units from other vendors with a proven ability to support scanning requirements.

Buy Now
Questions 98

An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts A security analyst has created a script to snapshot the system configuration each day. Following iss one of the scripts:

This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 99

A security analyst is reviewing WAF alerts and sees the following request:

Which of the following BEST describes the attack?

Options:

A.

SQL injection

B.

LDAP injection

C.

Command injection

D.

Denial of service

Buy Now
Questions 100

During an incident response procedure, a security analyst extracted a binary file from the disk of a compromised server. Which of the following is the best approach for analyzing the file without executing it?

Options:

A.

Memory analysis

B.

Hash signature check

C.

Reverse engineering

D.

Dynamic analysis

Buy Now
Questions 101

A security analyst is reviewing the network security monitoring logs listed below:

Which of the following is the analyst most likely observing? (Select two).

Options:

A.

10.1.1.128 sent potential malicious traffic to the web server.

B.

10.1.1.128 sent malicious requests, and the alert is a false positive

C.

10.1.1.129 successfully exploited a vulnerability on the web server

D.

10.1.1.129 sent potential malicious requests to the web server

E.

10.1.1.129 can determine mat port 443 is being used

F.

10.1.1.130 can potentially obtain information about the PHP version

Buy Now
Questions 102

Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security posture?

Options:

A.

Move the legacy systems behind a WAR

B.

Implement an air gap for the legacy systems.

C.

Place the legacy systems in the perimeter network.

D.

Implement a VPN between the legacy systems and the local network.

Buy Now
Questions 103

While reviewing abnormal user activity, a security analyst notices a user has the following fileshare activities:

Which of the following should the analyst do first?

Options:

A.

Initiate the security incident response process for unauthorized access.

B.

Shut down the servers while the access is investigated.

C.

Remove the user's access for all fileshares.

D.

Lock the user account until the access can be explained.

Buy Now
Questions 104

While conoXicting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

Options:

A.

Delete Cloud Dev access key 1

B.

Delete BusinessUsr access key 1.

C.

Delete access key 1.

D.

Delete access key 2.

Buy Now
Questions 105

A customer notifies a security analyst that a web application is vulnerable to information disclosure The analyst needs to indicate the seventy of the vulnerability based on its CVSS score, which the analyst needs to calculate When analyzing the vulnerability the analyst realizes that tor the attack to be successful, the Tomcat configuration file must be modified Which of the following values should the security analyst choose when evaluating the CVSS score?

Options:

A.

Network

B.

Physical

C.

Adjacent

D.

Local

Buy Now
Questions 106

The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

Options:

A.

MFA

B.

CASB

C.

SSO

D.

RBAC

Buy Now
Questions 107

A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would most likely indicate if the email is malicious?

Options:

A.

sha256sum ~/Desktop/fi1e.pdf

B.

/bin/;s -1 ~/Desktop/fi1e.pdf

C.

strings ~/Desktop/fi1e.pdf | grep -i “

D.

cat < ~/Desktop/file.pdf | grep —i .exe

Buy Now
Questions 108

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests

information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst

to provide to the security manager, who would then communicate the risk factors to the senior management team? (Select TWO).

Options:

A.

Probability

B.

Adversary capability

C.

Attack vector

D.

Impact

E.

Classification

F.

Indicators of compromise

Buy Now
Questions 109

A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Options:

A.

Web-application vulnerability scan

B.

Static analysis

C.

Packet inspection

D.

Penetration test

Buy Now
Questions 110

Company A is m the process of merging with Company B As part of the merger, connectivity between the ERP systems must be established so portent financial information can be shared between the two entitles. Which of the following will establish a more automated approach to secure data transfers between the two entities?

Options:

A.

Set up an FTP server that both companies can access and export the required financial data to a folder.

B.

Set up a VPN between Company A and Company B. granting access only lo the ERPs within the connection

C.

Set up a PKI between Company A and Company B and Intermediate shared certificates between the two entities

D.

Create static NATs on each entity's firewalls that map lo the ERP systems and use native ERP authentication to allow access.

Buy Now
Questions 111

A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the fallowing types of testing docs This describe?

Options:

A.

Acceptance testing

B.

Stress testing

C.

Regression testing

D.

Penetration testing

Buy Now
Exam Code: CS0-002
Exam Name: CompTIA CySA+ Certification Exam (CS0-002)
Last Update: Dec 2, 2024
Questions: 372

PDF + Testing Engine

$140

Testing Engine

$105

PDF (Q&A)

$90