Summer Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1271b8m643

CS0-002 Exam Dumps - CompTIA CySA+ Certification Exam (CS0-002)

Question # 4

The help desk provided a security analyst with a screenshot of a user's desktop:

For which of the following is aircrack-ng being used?

A.

Wireless access point discovery

B.

Rainbow attack

C.

Brute-force attack

D.

PCAP data collection

Full Access
Question # 5

An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization's security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors.

Which of the following would be the BEST recommendation for the security analyst to provide'?

A.

The organization should evaluate current NDAs to ensure enforceability of legal actions.

B.

The organization should maintain the relationship with the vendor and enforce vulnerability scans.

C.

The organization should ensure all motherboards are equipped with a TPM.

D.

The organization should use a certified, trusted vendor as part of the supply chain.

Full Access
Question # 6

A company's modem response team is handling a threat that was identified on the network Security analysts have as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

A.

Quarantine the web server

B.

Deploy virtual firewalls

C.

Capture a forensic image of the memory and disk

D.

Enable web server containerization

Full Access
Question # 7

A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected

back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

A.

Enforce unique session IDs for the application.

B.

Deploy a WAF in front of the web application.

C.

Check for and enforce the proper domain for the redirect.

D.

Use a parameterized query to check the credentials.

E.

Implement email filtering with anti-phishing protection.

Full Access
Question # 8

Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

A.

Self-encrypting drive

B.

Bus encryption

C.

TPM

D.

HSM

Full Access
Question # 9

A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

A.

ICMP is being blocked by a firewall.

B.

The routing tables for ping and hping3 were different.

C.

The original ping command needed root permission to execute.

D.

hping3 is returning a false positive.

Full Access
Question # 10

Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap

192.168.1.22 - - api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap somebody@companyname.com 192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap http://schemas.xmlsoap.org/soap/envelope/ "> 516.7.446.605 192.168.1.22 - - api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap http://schemas.xmlsoap.org/soap/envelope/ "> kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd0161222 4''1=113026046 192.168.5.66 - - api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

A.

The clients' authentication tokens were impersonated and replayed.

B.

The clients' usernames and passwords were transmitted in cleartext.

C.

An XSS scripting attack was carried out on the server.

D.

A SQL injection attack was carried out on the server.

Full Access
Question # 11

A security analyst needs to perform a search for connections with a suspicious IP on the network traffic. The company collects full packet captures at the Internet gateway and retains them for one week. Which of the following will enable the analyst to obtain the BEST results?

A.

tcpdump –n –r internet.pcap host

B.

strings internet.pcap | grep

C.

grep –a internet.pcap

D.

npcapd internet.pcap | grep

Full Access
Question # 12

A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

A.

Purpose limitation

B.

Sovereignty

C.

Data minimization

D.

Retention

Full Access
Question # 13

An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

A.

tcpdump –X dst port 21

B.

ftp ftp.server –p 21

C.

nmap –o ftp.server –p 21

D.

telnet ftp.server 21

Full Access
Question # 14

A company wants to reduce the cost of deploying servers to support increased network growth. The company is currently unable to keep up with the demand, so it wants to outsource the infrastructure to a cloud-based solution.

Which of the following is the GREATEST threat for the company to consider when outsourcing its infrastructure?

A.

The cloud service provider is unable to provide sufficient logging and monitoring.

B.

The cloud service provider is unable to issue sufficient documentation for configurations.

C.

The cloud service provider conducts a system backup each weekend and once a week during peak business times.

D.

The cloud service provider has an SLA for system uptime that is lower than 99 9%.

Full Access
Question # 15

Understanding attack vectors and integrating intelligence sources are important components of:

A.

proactive threat hunting

B.

risk management compliance.

C.

a vulnerability management plan.

D.

an incident response plan.

Full Access
Question # 16

A cybersecurity analyst is investigating a potential incident affecting multiple systems on a company's internal network. Although there is a negligible impact to performance, the following symptom present on each of the affected systems:

• Existence of a new and unexpected svchost exe process

• Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred

• DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain

If this situation remains unresolved, which of the following will MOST likely occur?

A.

The affected hosts may participate in a coordinated DDoS attack upon command

B.

An adversary may leverage the affected hosts to reconfigure the company's router ACLs.

C.

Key files on the affected hosts may become encrypted and require ransom payment for unlock.

D.

The adversary may attempt to perform a man-in-the-middle attack.

Full Access
Question # 17

An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

A.

Segment the network to constrain access to administrative interfaces.

B.

Replace the equipment that has third-party support.

C.

Remove the legacy hardware from the network.

D.

Install an IDS on the network between the switch and the legacy equipment.

Full Access
Question # 18

A security analyst is investigating an incident that appears to have started with SOL injection against a publicly available web application. Which of the following is the FIRST step the analyst should take to prevent future attacks?

A.

Modify the IDS rules to have a signature for SQL injection.

B.

Take the server offline to prevent continued SQL injection attacks.

C.

Create a WAF rule In block mode for SQL injection

D.

Ask the developers to implement parameterized SQL queries.

Full Access
Question # 19

Approximately 100 employees at your company have received a phishing email. As a security analyst you have been tasked with handling this situation.

INSTRUCTIONS

Review the information provided and determine the following:

1. How many employees clicked on the link in the phishing email?

2. On how many workstations was the malware installed?

3. What is the executable file name or the malware?

Full Access
Question # 20

A security analyst identified one server that was compromised and used as a data making machine, and a few of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?

A.

System timeline reconstruction

B.

System registry extraction

C.

Data carving

D.

Volatile memory analysts

Full Access
Question # 21

A remote code-execution vulnerability was discovered in the RDP for the servers running a key-hosted application. While there is no automated check for this vulnerability from the vulnerability assessment vendor, the in-house technicians were able to evaluate manually whether this vulnerability was present through the use of custom scripts. This evaluation determined that all the hosts are vulnerable. A technician then tested the patch for this vulnerability and found that it can cause stability issues in the key-hosted application. The application is accessed through RDP to a jump host that does not run the application directly. To mitigate this vulnerability, the security operations team needs to provide remediation steps that will mitigate the vulnerability temporarily until the compatibility issues with the patch are resolved. Which of the following will BEST allow systems to continue to operate and mitigate the vulnerability in the short term?

A.

Implement IPSec rules on the application servers through a GPO that limits RDP access from only the jump host. Patch the jump host. Since it does not run the application natively, it will not affect the software's operation and functionality. Do not patch the application servers until the compatibility issue is resolved.

B.

Implement IPSec rules on the jump host server through a GPO that limits RDP access from only the other application servers. Do not patch the jump host. Since it does not run the application natively, it is at less risk of being compromised. Patch the application servers to secure them.

C.

Implement IPSec rules on the application servers through a GPO that limits RDP access to only other application servers. Do not patch the jump host. Since it does not run the application natively, it is at less risk of being compromised. Patch the application servers to secure them.

D.

Implement firewall rules on the application servers through a GPO that limits RDP access to only other application servers. Manually check the jump host to see if it has been compromised. Patch the application servers to secure them.

Full Access
Question # 22

A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

A.

Risk exception

B.

Risk avoidance

C.

Risk tolerance

D.

Risk acceptance

Full Access
Question # 23

A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur They have asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to achieve this goal?

A.

Focus on incidents that may require law enforcement support.

B.

Focus on common attack vectors first.

C.

Focus on incidents that have a high chance of reputation harm.

D.

Focus on incidents that affect critical systems.

Full Access
Question # 24

During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

A.

An IPS signature modification for the specific IP addresses

B.

An IDS signature modification for the specific IP addresses

C.

A firewall rule that will block port 80 traffic

D.

A firewall rule that will block traffic from the specific IP addresses

Full Access
Question # 25

A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further in investigation?

A.

Data carving

B.

Timeline construction

C.

File cloning

D.

Reverse engineering

Full Access
Question # 26

The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with:

A.

web servers on private networks.

B.

HVAC control systems

C.

smartphones

D.

firewalls and UTM devices

Full Access
Question # 27

As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's concerns, the assessor will MOST likely focus on:

A.

qualitative probabilities.

B.

quantitative probabilities.

C.

qualitative magnitude.

D.

quantitative magnitude.

Full Access
Question # 28

A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

A.

Malware is attempting to beacon to 128.50.100.3.

B.

The system is running a DoS attack against ajgidwle.com.

C.

The system is scanning ajgidwle.com for PII.

D.

Data is being exfiltrated over DNS.

Full Access
Question # 29

A security analyst is researching an incident and uncovers several details that may link to other incidents. The security analyst wants to determine if other incidents are related to the current incident Which of the followinq threat research methodoloqies would be MOST appropriate for the analyst to use?

A.

Reputation data

B.

CVSS score

C.

Risk assessment

D.

Behavioral analysis

Full Access
Question # 30

A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.

Which of the following is the main concern a security analyst should have with this arrangement?

A.

Making multiple trips between development sites increases the chance of physical damage to the FPGAs.

B.

Moving the FPGAs between development sites will lessen the time that is available for security testing.

C.

Development phases occurring at multiple sites may produce change management issues.

D.

FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

Full Access
Question # 31

Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.

Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

A.

Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

B.

Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.

C.

Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.

D.

Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway.

Full Access
Question # 32

A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

A.

Establish a hosted SSO.

B.

Implement a CASB.

C.

Virtualize the server.

D.

Air gap the server.

Full Access
Question # 33

A team of network security analysts is examining network traffic to determine if sensitive data was exfitrated Upon further investigation, the analysts believe confidential data was compromised. Which of me following capattlnes would BEST defend against tnts type of sensitive data eifiitraUon?

A.

Deploy an edge firewal.

B.

Implement DLP

C.

Deploy EDR.

D.

Enaypi the hard drives

Full Access
Question # 34

A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integration intelligence into hunt operations?

A.

It enables the team to prioritize the focus area and tactics within the company’s environment.

B.

It provide critically analyses for key enterprise servers and services.

C.

It allow analysis to receive updates on newly discovered software vulnerabilities.

D.

It supports rapid response and recovery during and followed an incident.

Full Access
Question # 35

Which of the following data security controls would work BEST to prevent real Pll from being used in an organization's test cloud environment?

A.

Digital rights management

B.

Encryption

C.

Access control

D.

Data loss prevention

E.

Data masking

Full Access
Question # 36

An organization is focused on restructuring its data governance programs and an analyst has been Tasked with surveying sensitive data within the organization. Which of the following is the MOST accurate method for the security analyst to complete this assignment?

A.

Perform an enterprise-wide discovery scan.

B.

Consult with an internal data custodian.

C.

Review enterprise-wide asset Inventory.

D.

Create a survey and distribute it to data owners.

Full Access
Question # 37

A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons- learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?

A.

Enabling application blacklisting

B.

Enabling sandboxing technology

C.

Purchasing cyber insurance

D.

Installing a firewall between the workstations and Internet

Full Access
Question # 38

A forensic analyst took an image of a workstation that was involved in an incident To BEST ensure the image is not tampered with me analyst should use:

A.

hashing

B.

backup tapes

C.

a legal hold

D.

chain of custody.

Full Access
Question # 39

Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?

A.

Use a UEFl boot password.

B.

Implement a self-encrypted disk.

C.

Configure filesystem encryption

D.

Enable Secure Boot using TPM

Full Access
Question # 40

A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

A.

Nikto

B.

Aircrak-ng

C.

Nessus

D.

tcpdump

Full Access
Question # 41

A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

Which of the following should be done to correct the cause of the vulnerability?

A.

Deploy a WAF in front of the application.

B.

Implement a software repository management tool.

C.

Install a HIPS on the server.

D.

Instruct the developers to use input validation in the code.

Full Access
Question # 42

As part of an Intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several detrains and reputational information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for Mergence gathering?

A.

Update the whitelist.

B.

Develop a malware signature.

C.

Sinkhole the domains

D.

Update the Blacklist

Full Access
Question # 43

A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

A.

Implement UEM on an systems and deploy security software.

B.

Implement DLP on all workstations and block company data from being sent outside the company

C.

Implement a CASB and prevent certain types of data from being downloaded to a workstation

D.

Implement centralized monitoring and logging for an company systems.

Full Access
Question # 44

A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?

A.

Work backward, restoring each backup until the server is clean

B.

Restore the previous backup and scan with a live boot anti-malware scanner

C.

Stand up a new server and restore critical data from backups

D.

Offload the critical data to a new server and continue operations

Full Access
Question # 45

A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

A.

Deidentification

B.

Encoding

C.

Encryption

D.

Watermarking

Full Access
Question # 46

A security analyst is supporting an embedded software team. Which of the following is the BEST recommendation to ensure proper error handling at runtime?

A.

Perform static code analysis.

B.

Require application fuzzing.

C.

Enforce input validation

D.

Perform a code review

Full Access
Question # 47

A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

A.

To create a system baseline

B.

To reduce the attack surface

C.

To optimize system performance

D.

To improve malware detection

Full Access
Question # 48

Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?

A.

Information sharing and analysis membership

B.

Open-source intelligence, such as social media and blogs

C.

Real-time and automated firewall rules subscriptions

D.

Common vulnerability and exposure bulletins

Full Access
Question # 49

A contained section of a building is unable to connect to the Internet A security analyst. A security analyst investigates me issue but does not see any connections to the corporate web proxy However the analyst does notice a small spike in traffic to the Internet. The help desk technician verifies all users are connected to the connect SSID. but there are two of the same SSIDs listed in the network connections. Which of the following BEST describes what is occurring?

A.

Bandwidth consumption

B.

Denial of service

C.

Beaconing

D.

Rogue device on the network

Full Access
Question # 50

A computer hardware manufacturer developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?

A.

Encryption

B.

eFuse

C.

Secure Enclave

D.

Trusted execution

Full Access
Question # 51

Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

A.

File fingerprinting

B.

Decomposition of malware

C.

Risk evaluation

D.

Sandboxing

Full Access
Question # 52

A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization. The security analysis BEST response would be to coordinate with the legal department and:

A.

the public relations department

B.

senior leadership

C.

law enforcement

D.

the human resources department

Full Access
Question # 53

A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall’s behavior and responses. The analyst executes the following commands:

The analyst then compares the following results for port 22:

nmap returns “Closed”

hping3 returns “flags=RA”

Which of the following BEST describes the firewall rule?

A.

DNAT –-to-destination 1.1.1.1:3000

B.

REJECT with –-tcp-reset

C.

LOG –-log-tcp-sequence

D.

DROP

Full Access
Question # 54

A team of security analysis has been alerted to potential malware activity. The initial examination indicates one of the affected workstations on beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process?

A.

Escalate the incident to management ,who will then engage the network infrastructure team to keep them informed

B.

Depending on system critically remove each affected device from the network by disabling wired and wireless connections

C.

Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses

Identify potentially affected systems by creating a correlation

D.

Identify potentially affected system by creating a correlation search in the SIEM based on the network traffic.

Full Access
Question # 55

When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

A.

nmap –sA –O -noping

B.

nmap –sT –O -P0

C.

nmap –sS –O -P0

D.

nmap –sQ –O -P0

Full Access