Independence Day Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Questions and Answers

Questions 4

While investigating an incident in a company's SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user Company policy allows systems administrators to manage their systems only from the company's internal network using their assigned corporate logins. Which of the following are the BEST actions the analyst can take to stop any further compromise? (Select TWO).

A Configure /etc/sshd_config to deny root logins and restart the SSHD service.

B. Add a rule on the network IPS to block SSH user sessions

C. Configure /etc/passwd to deny root logins and restart the SSHD service.

D. Reset the passwords for all accounts on the affected system.

E. Add a rule on the perimeter firewall to block the source IP address.

F. Add a rule on the affected system to block access to port TCP/22.

Options:

Buy Now
Questions 5

A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage The security analyst is trying to determine which user caused the malware to get onto the system Which of the following registry keys would MOST likely have this information?

Options:

A.

HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run

B.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

C.

HKEY_USERS\\Software\Microsoft\Windows\explorer\MountPoints2

D.

HKEY_USERS\\Software\Microsoft\Internet Explorer\Typed URLs

E.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

Buy Now
Questions 6

A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now. The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:

Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

Options:

A.

Remediate by going to the web config file, searching for the enforce HTTP validation setting, and manually updating to the correct setting.

B.

Accept this risk for now because this is a “high” severity, but testing will require more than the four days available, and the system ATO needs to be competed.

C.

Ignore it. This is false positive, and the organization needs to focus its efforts on other findings.

D.

Ensure HTTP validation is enabled by rebooting the server.

Buy Now
Questions 7

A cybersecurity analyst is supposing an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?

Options:

A.

Requirements analysis and collection planning

B.

Containment and eradication

C.

Recovery and post-incident review

D.

Indicator enrichment and research pivoting

Buy Now
Questions 8

An analyst is searching a log for potential credit card leaks. The log stores all data encoded in hexadecimal. Which of the following commands will allow the security analyst to confirm the incident?

Options:

A.

cat log xxd -r -p | egrep ' [0-9] {16}

B.

egrep '(3(0-9)) (16) ' log

C.

cat log | xxd -r -p egrep '(0-9) (16)'

D.

egrep ' (0-9) (16) ' log | xxdc

Buy Now
Questions 9

A system administrator is doing network reconnaissance of a company’s external network to determine the vulnerability of various services that are running. Sending some sample traffic to the external host, the administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

Options:

A.

SSH

B.

HTTP

C.

SMB

D.

HTTPS

Buy Now
Questions 10

A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking

http:// /A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

Options:

A.

email server that automatically deletes attached executables.

B.

IDS to match the malware sample.

C.

proxy to block all connections to .

D.

firewall to block connection attempts to dynamic DNS hosts.

Buy Now
Questions 11

An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

Options:

A.

tcpdump –X dst port 21

B.

ftp ftp.server –p 21

C.

nmap –o ftp.server –p 21

D.

telnet ftp.server 21

Buy Now
Questions 12

Which of the following are components of the intelligence cycle? (Select TWO.)

Options:

A.

Collection

B.

Normalization

C.

Response

D.

Analysis

E.

Correction

F.

Dissension

Buy Now
Questions 13

An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested m a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function?

Options:

A.

TPM

B.

eFuse

C.

FPGA

D.

HSM

E.

UEFI

Buy Now
Questions 14

A large insurance company wants to outsource its claim-handling operations to an overseas third-party organization Which of the following would BEST help to reduce the chance of highly sensitive data leaking?

Options:

A.

Configure a VPN between the third party organization and the internal company network

B.

Set up a VDI that the third party must use to interact with company systems.

C.

Use MFA to protect confidential company information from being leaked.

D.

Implement NAC to ensure connecting systems have malware protection

E.

Create jump boxes that are used by the third-party organization so it does not connect directly.

Buy Now
Questions 15

A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

Options:

A.

Development of a hypothesis as part of threat hunting

B.

Log correlation, monitoring, and automated reporting through a SIEM platform

C.

Continuous compliance monitoring using SCAP dashboards

D.

Quarterly vulnerability scanning using credentialed scans

Buy Now
Questions 16

A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:

Antivirus is installed on the remote host:

Installation path: C:\Program Files\AVProduct\Win32\

Product Engine: 14.12.101

Engine Version: 3.5.71

Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.

The engine version is out of date. The oldest supported version from the vendor is 4.2.11.

The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

Options:

A.

This is a false positive, and the scanning plugin needs to be updated by the vendor.

B.

This is a true negative, and the new computers have the correct version of the software.

C.

This is a true positive, and the new computers were imaged with an old version of the software.

D.

This is a false negative, and the new computers need to be updated by the desktop team.

Buy Now
Questions 17

A company’s data is still being exfiltered to business competitors after the implementation of a DLP solution. Which of the following is the most likely reason why the data is still being compromised?

Options:

A.

Printed reports from the database contain sensitive information

B.

DRM must be implemented with the DLP solution

C.

Users are not labeling the appropriate data sets

D.

DLP solutions are only effective when they are implemented with disk encryption

Buy Now
Questions 18

Approximately 100 employees at your company have received a phishing email. As a security analyst you have been tasked with handling this situation.

INSTRUCTIONS

Review the information provided and determine the following:

1. How many employees clicked on the link in the phishing email?

2. On how many workstations was the malware installed?

3. What is the executable file name or the malware?

Options:

Buy Now
Questions 19

A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

Options:

A.

Write detection logic.

B.

Establish a hypothesis.

C.

Profile the threat actors and activities.

D.

Perform a process analysis.

Buy Now
Questions 20

A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat intelligence and identify whether or not the incidents are linked.

Which of the following methods would be MOST appropriate to use?

Options:

A.

An adversary capability model

B.

The MITRE ATT&CK framework

C.

The Cyber Kill Chain

D.

The Diamond Model of Intrusion Analysis

Buy Now
Questions 21

White reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with po mcai propaganda. Which of the following BEST Describes this type of actor?

Options:

A.

Hacktivist

B.

Nation-state

C.

insider threat

D.

Organized crime

Buy Now
Questions 22

A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

Options:

A.

Audit access permissions for all employees to ensure least privilege.

B.

Force a password reset for the impacted employees and revoke any tokens.

C.

Configure SSO to prevent passwords from going outside the local network.

D.

Set up privileged access management to ensure auditing is enabled.

Buy Now
Questions 23

An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization's security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors.

Which of the following would be the BEST recommendation for the security analyst to provide'?

Options:

A.

The organization should evaluate current NDAs to ensure enforceability of legal actions.

B.

The organization should maintain the relationship with the vendor and enforce vulnerability scans.

C.

The organization should ensure all motherboards are equipped with a TPM.

D.

The organization should use a certified, trusted vendor as part of the supply chain.

Buy Now
Questions 24

A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security To BEST complete this task, the analyst should place the:

Options:

A.

firewall behind the VPN server

B.

VPN server parallel to the firewall

C.

VPN server behind the firewall

D.

VPN on the firewall

Buy Now
Questions 25

During an incident investigation, a security analyst acquired a malicious file that was used as a backdoor but was not detected by the antivirus application. After performing a reverse-engineering procedure, the analyst found that part of the code was obfuscated to avoid signature detection. Which of the following types of instructions should the analyst use to understand how the malware was obfuscated and to help deobfuscate it?

Options:

A.

MOV

B.

ADD

C.

XOR

D.

SUB

E.

MOVL

Buy Now
Questions 26

A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization. The security analysis BEST response would be to coordinate with the legal department and:

Options:

A.

the public relations department

B.

senior leadership

C.

law enforcement

D.

the human resources department

Buy Now
Questions 27

Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.

Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

Options:

A.

Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

B.

Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.

C.

Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.

D.

Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway.

Buy Now
Questions 28

As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?

Options:

A.

Organizational policies

B.

Vendor requirements and contracts

C.

Service-level agreements

D.

Legal requirements

Buy Now
Questions 29

Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

Options:

A.

Reverse engineering

B.

Fuzzing

C.

Penetration testing

D.

Network mapping

Buy Now
Questions 30

Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?

Options:

A.

Use a UEFl boot password.

B.

Implement a self-encrypted disk.

C.

Configure filesystem encryption

D.

Enable Secure Boot using TPM

Buy Now
Questions 31

Employees of a large financial company are continuously being Infected by strands of malware that are not detected by EDR tools. When of the following Is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?

Options:

A.

MFA on the workstations

B.

Additional host firewall rules

C.

VDI environment

D.

Hard drive encryption

E.

Network access control

F.

Network segmentation

Buy Now
Questions 32

A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot oe reused. Which of the following is the BEST approach?

Options:

A.

Degaussing

B.

Shreoding

C.

Formatting

D.

Encrypting

Buy Now
Questions 33

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

Options:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Buy Now
Questions 34

A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted The company has asked a security analyst to help

improve its controls.

Which of the following will MOST likely help the security analyst develop better controls?

Options:

A.

An evidence summarization

B.

An indicator of compromise

C.

An incident response plan

D.

A lessons-learned report

Buy Now
Questions 35

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verity that a user's data is not altered without the user's consent Which of the following would be an appropriate course of action?

Options:

A.

Use a DLP product to monitor the data sets for unauthorized edits and changes.

B.

Use encryption first and then hash the data at regular, defined times.

C.

Automate the use of a hashing algorithm after verified users make changes to their data

D.

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Buy Now
Questions 36

An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company Which of the following technical controls would BEST accomplish this goal?

Options:

A.

DLP

B.

Encryption

C.

Data masking

D.

SPF

Buy Now
Questions 37

A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

Options:

A.

an 802.11ac wireless bridge to create an air gap.

B.

a managed switch to segment the lab into a separate VLAN.

C.

a firewall to isolate the lab network from all other networks.

D.

an unmanaged switch to segment the environments from one another.

Buy Now
Questions 38

An organization wants to mitigate against risks associated with network reconnaissance. ICMP is already blocked at the firewall; however, a penetration testing team has been able to perform reconnaissance against the organization’s network and identify active hosts. An analyst sees the following output from a packet capture:

Which of the following phrases from the output provides information on how the testing team is successfully getting around the ICMP firewall rule?

Options:

A.

flags=RA indicates the testing team is using a Christmas tree attack

B.

ttl=64 indicates the testing team is setting the time to live below the firewall’s threshold

C.

0 data bytes indicates the testing team is crafting empty ICMP packets

D.

NO FLAGS are set indicates the testing team is using hping

Buy Now
Questions 39

A security analyst is reviewing the following DNS logs as part of security-monitoring activities:

Which of the following MOST likely occurred?

Options:

A.

The attack used an algorithm to generate command and control information dynamically.

B.

The attack used encryption to obfuscate the payload and bypass detection by an IDS.

C.

The attack caused an internal host to connect to a command and control server.

D.

The attack attempted to contact www.gooqle com to verify Internet connectivity.

Buy Now
Questions 40

A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

Options:

A.

Nikto

B.

Aircrak-ng

C.

Nessus

D.

tcpdump

Buy Now
Questions 41

An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.

Which of the following is MOST likely to be a false positive?

Options:

A.

OpenSSH/OpenSSL Package Random Number Generator Weakness

B.

Apache HTTP Server Byte Range DoS

C.

GDI+ Remote Code Execution Vulnerability (MS08-052)

D.

HTTP TRACE / TRACK Methods Allowed (002-1208)

E.

SSL Certificate Expiry

Buy Now
Questions 42

A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur They have asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to achieve this goal?

Options:

A.

Focus on incidents that may require law enforcement support.

B.

Focus on common attack vectors first.

C.

Focus on incidents that have a high chance of reputation harm.

D.

Focus on incidents that affect critical systems.

Buy Now
Questions 43

The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:

Options:

A.

web servers on private networks

B.

HVAC control systems

C.

smartphones

D.

firewalls and UTM devices

Buy Now
Questions 44

A security analyst receives an alert from the SIEM about a possible attack happening on the network The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66. which is part of the network 192 168 54 0/24. The analyst then pulls all the command history logs from that server and sees the following

Which of the following activities is MOST likely happening on the server?

Options:

A.

A MITM attack

B.

Enumeration

C.

Fuzzing

D.

A vulnerability scan

Buy Now
Questions 45

Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application?

Options:

A.

Configuring a firewall to block traffic on ports that use ActiveX controls

B.

Adjusting the web-browser settings to block ActiveX controls

C.

Installing network-based IPS to block malicious ActiveX code

D.

Deploying HIPS to block malicious ActiveX code

Buy Now
Questions 46

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the Issue. Which of the following security solutions would resolve this issue?

Options:

A.

Privilege management

B.

Group Policy Object management

C.

Change management

D.

Asset management

Buy Now
Questions 47

As part of an organization’s information security governance process, a Chief Information Security Officer

(CISO) is working with the compliance officer to update policies to include statements related to new

regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are

appropriately aware of changes to the policies?

Options:

A.

Conduct a risk assessment based on the controls defined in the newly revised policies

B.

Require all employees to attend updated security awareness training and sign an acknowledgement

C.

Post the policies on the organization’s intranet and provide copies of any revised policies to all active

vendors

D.

Distribute revised copies of policies to employees and obtain a signed acknowledgement from them

Buy Now
Questions 48

A cybersecurity analyst is investigating a potential incident affecting multiple systems on a company's internal network. Although there is a negligible impact to performance, the following symptom present on each of the affected systems:

• Existence of a new and unexpected svchost exe process

• Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred

• DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain

If this situation remains unresolved, which of the following will MOST likely occur?

Options:

A.

The affected hosts may participate in a coordinated DDoS attack upon command

B.

An adversary may leverage the affected hosts to reconfigure the company's router ACLs.

C.

Key files on the affected hosts may become encrypted and require ransom payment for unlock.

D.

The adversary may attempt to perform a man-in-the-middle attack.

Buy Now
Questions 49

Which of the following is MOST closely related to the concept of privacy?

Options:

A.

An individual's control over personal information

B.

A policy implementing strong identity management processes

C.

A system's ability to protect the confidentiality of sensitive information

D.

The implementation of confidentiality, integrity, and availability

Buy Now
Questions 50

A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.

Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

Options:

A.

Attack vectors

B.

Adversary capability

C.

Diamond Model of Intrusion Analysis

D.

Kill chain

E.

Total attack surface

Buy Now
Questions 51

Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

Options:

A.

Input validation

B.

Output encoding

C.

Parameterized queries

D.

Tokenization

Buy Now
Questions 52

An analyst performs a routine scan of a host using Nmap and receives the following output:

Which of the following should the analyst investigate FIRST?

Options:

A.

Port 21

B.

Port 22

C.

Port 23

D.

Port 80

Buy Now
Questions 53

A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

Options:

A.

Submit a change request to have the system patched

B.

Evaluate the risk and criticality to determine it further action is necessary

C.

Notify a manager of the breach and initiate emergency procedures.

D.

Remove the application from production and Inform the users.

Buy Now
Questions 54

An analyst needs to provide a recommendation that will allow a custom-developed application to have full access to the system's processors and peripherals but still be contained securely from other applications that will be developed. Which of the following is the BEST technology for the analyst to recommend?

Options:

A.

Software-based drive encryption

B.

Hardware security module

C.

Unified Extensible Firmware Interface

D.

Trusted execution environment

Buy Now
Questions 55

After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

Options:

A.

Header analysis

B.

File carving

C.

Metadata analysis

D.

Data recovery

Buy Now
Exam Code: CS0-002
Exam Name: CompTIA CySA+ Certification Exam (CS0-002)
Last Update: Jul 4, 2022
Questions: 372

PDF + Testing Engine

$70.4  $175.99

Testing Engine

$52.8  $131.99
buy now CS0-002 testing engine

PDF (Q&A)

$44  $109.99
buy now CS0-002 pdf