CompTIA Cybersecurity Analyst (CySA+) Study Guide Exam CS0-002 Dumps

1. A security manager has asked an analyst to provide feedback on the results of a penetration lest.

After reviewing the results the manager requests information regarding the possible exploitation of vulnerabilities Much of the following information data points would be MOST useful for the analyst to provide to the security manager who would then communicate the risk factors to senior management? (Select TWO)

2. After a breach involving the exfiltration of a large amount of sensitive data a security analyst is reviewing the following firewall logs to determine how the breach occurred:





Which of the following IP addresses does the analyst need to investigate further?

3. During an investigation, an incident responder intends to recover multiple pieces of digital media.

Before removing the media, the responder should initiate:

4. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

Which of the following would BEST accomplish this goal?

5. Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

6. A security analyst has received reports of very slow, intermittent access to a public-facing corporate server.

Suspecting the system may be compromised, the analyst runs the following commands:





Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

7. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows





Which of the following MOST likely occurred?

8. Which of the following is the MOST important objective of a post-incident review?

9. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

10. A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

11. Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus on company systems?

12. A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.

Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)

13. A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident.

The analyst determines backups were not performed during this time and reviews the following:





Which of the following should the analyst review to find out how the data was exfilltrated?

14. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group.

Which of the following models would BEST apply to the situation?

15. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise.

Which of the following describes the type of vulnerability that was MOST likely expiated?

16. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

17. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

18. An organization suspects it has had a breach, and it is trying to determine the potential impact. The organization knows the following:

✑ The source of the breach is linked to an IP located in a foreign country.

✑ The breach is isolated to the research and development servers.

✑ The hash values of the data before and after the breach are unchanged.

✑ The affected servers were regularly patched, and a recent scan showed no vulnerabilities.

Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.)

19. An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

20. 1.Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

21. A company recently experienced a break-in whereby a number of hardware assets were stolen through unauthorized access at the back of the building.

Which of the following would BEST prevent this type of theft from occurring in the future?

22. An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint.

Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

23. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

24. A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client.

Which of the following is MOST likely inhibiting the remediation efforts?

25. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

26. A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output.





Which of the following commands should the administrator run NEXT to further analyze the compromised system?

27. An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested m a secure, built-in device to support its solution.

Which of the following would MOST likely be required to perform the desired function?

28. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:





The analyst runs the following command next:





Which of the following would explain the difference in results?

29. A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set of domains Management at an organization wants to know if it is a victim.

Which of the following should the security analyst recommend to identity this behavior without alerting any potential malicious actors?

30. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

31. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer datA. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

32. A large software company wants to move «s source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business management determines the recovery time objective needs to be within one hour.

Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

33. A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.

Which of the following is the main concern a security analyst should have with this arrangement?

34. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

35. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

36. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account, to perform queries and look up data m a database A security analyst discovers employees are accessing data sets they have not been authorized to use.

Which of the following will fix the cause of the issue?

37. A security team wants to make SaaS solutions accessible from only the corporate campus

Which of the following would BEST accomplish this goal?

38. A company's modem response team is handling a threat that was identified on the network Security analysts have as at remote sites.

Which of the following is the MOST appropriate next step in the incident response plan?

39. When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

40. An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations.

Which of the following would BEST meet that goal?

41. A security architect is reviewing the options for performing input validation on incoming web form submissions.

Which of the following should the architect as the MOST secure and manageable option?

42. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

43. A security analyst has discovered trial developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the Internet.

Which of the following changes should the security analyst make to BEST protect the environment?

44. A security analyst is reviewing the logs from an internal chat server.

The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:





Which of the following commands would work BEST to achieve the desired result?

45. An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

46. A security analyst is attempting to utilize the blowing threat intelligence for developing detection capabilities:





In which of the following phases is this APT MOST likely to leave discoverable artifacts?

47. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

48. A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain.

Which of the following should be performed NEXT to investigate the availability issue?

49. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

50. A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability scan:





Which of the following is MOST likely a false positive?

51. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

52. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

53. The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:

54. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

55. A security analyst is reviewing the following log from an email security service.





Which of the following BEST describes the reason why the email was blocked?

56. During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user.





Which of the following commands should the analyst investigate FIRST?

57. Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?

58. A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization.

The security analysis BEST response would be to coordinate with the legal department and:

59. A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

60. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

61. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

62. During a cyber incident, which of the following is the BEST course of action?

63. A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

64. A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server.

Tool A reported the following:





Tool B reported the following:





Which of the following BEST describes the method used by each tool? (Choose two.)

65. Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise.

Which of the following techniques were used in this scenario?

66. Which of the following MOST accurately describes an HSM?

67. Which of the following attacks can be prevented by using output encoding?

68. An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment One of the primary concerns is exfiltration of data by malicious insiders.

Which of the following controls is the MOST appropriate to mitigate risks?

69. An analyst has been asked to provide feedback regarding the control required by a revised regulatory framework At this time, the analyst only needs to focus on the technical controls.

Which of the following should the analyst provide an assessment of?

70. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

71. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:





Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

72. A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised.

Which of the following is the value of this risk?

73. As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy.

Based on the CISO's concerns, the assessor will MOST likely focus on:

74. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

75. An executive assistant wants to onboard a new cloud based product to help with business analytics and dashboarding.

When of the following would be the BEST integration option for the service?

76. A cybersecurity analyst is supporting an incident response effort via threat intelligence.

Which of the following is the analyst MOST likely executing?

77. An organization has several systems that require specific logons Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets.

Which of the following should the analyst do to reduce the occurrence of legitimate failed logons and password resets?

78. A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentially protection.

Which of the following is the BEST technical security control to mitigate this risk?

79. Which of the following types of policies is used to regulate data storage on the network?

80. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

81. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

82. An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach.

Given the following output:





Which of the following should be the focus of the investigation?

83. As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information.

Which of the following BEST describes this test?

84. A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt.

Which of the following Nmap commands would BEST accomplish this goal?

85. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process.

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

86. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

87. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

88. An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.

Which of the following can be inferred from this activity?

89. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:





To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

90. A malicious hacker wants to gather guest credentials on a hotel 802.11 network.

Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

91. An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours.

Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

92. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.



INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

93. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

94. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful.

Which of the following should the security analyst perform NEXT?

95. A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised.

Which of the following would provide the BEST results?

96. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:





Which of the following lines indicates the computer may be compromised?

97. A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics. cloned the hard drive, and took the hard drive home for further analysis.

Which of the following of the security analyst violate?

98. A developer wrote a script to make names and other Pll data unidentifiable before loading a database export into the testing system.

Which of the following describes the type of control that is being used?

99. A security analyst has discovered suspicious traffic and determined a host is connecting to a known malicious website.

The MOST appropriate action for the analyst to take would be lo implement a change request to:

100. A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security To BEST complete this task, the analyst should place the: