Practice Exam Version:
Part 1: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-1/
Part 2: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-2/
Part 3: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-3/
Part 4: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-4/
Part 5: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-5/
Part 6: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-6/
Actual Exam Version: https://awslagi.com/course-category/comptia/
Q181.An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?
A. Implement MDM.
B. Update the malware catalog.
C. Patch the mobile device’s OS.
D. Block third-party applications.
Q182.Which of the following types of controls defines placing an ACL on a file folder?
A. Technical control
B. Confidentiality control
C. Managerial control
D. Operational control
Q183.A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?
Q184.Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?
A. Remote code execution
B. Buffer overflow
C. Unauthenticated commands
D. Certificate spoofing
Q185.While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be __________.
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
Q186.A security analyst is reviewing the following server statistics:
Which of the following is MOST likely occurring?
A. Race condition
B. Privilege escalation
C. Resource exhaustion
D. VM escape
Q187.When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:
Which of the following can the analyst conclude from viewing the log file?
A. The comptia user knows the sudo password.
B. The comptia user executed the sudo su command.
C. The comptia user knows the root password.
D. The comptia user added himself or herself to the /etc/sudoers file.
Q188.An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place, which of the following should be notified for lessons learned?
A. The human resources department
C. Company leadership
D. The legal team
Q189.After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?
A. Header analysis
B. File carving
C. Metadata analysis
D. Data recovery
Q190.Which of the following BEST describes what an organization’s incident response plan should cover regarding how the organization handles public or private disclosures of an incident?
A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.
B. The disclosure section should contain the organization’s legal and regulatory requirements regarding disclosures.
C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution.
D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening in the future.
Q191.A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a crypto mining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the following:
Which of the following is the BEST way to isolate and triage the host?
A. Remove rules 1, 2, and 3.
B. Remove rules 1, 2, 4, and 5.
C. Remove rules 1, 2, 3, 4, and 5.
D. Remove rules 1. 2, and 5.
E. Remove rules 1, 4, and 5.
F. Remove rules 4 and 5.
Q192.Which of the following BEST explains the function of TPM?
A. To provide hardware-based security features using unique keys
B. To ensure platform confidentiality by storing security measurements
C. To improve management of the OS Installations
D. To implement encryption algorithms for hard drives
Q193.An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service?
A. Manually log in to the service and upload data files on a regular basis.
B. Have the internal development team script connectivity and file transfers to the new service.
C. Create a dedicated SFTP site and schedule transfers to ensure file transport security.
D. Utilize the cloud product’s API for supported and ongoing integrations.
Q194.A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company’s network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?
A. The server is configured to communicate on the secure database standard listener port.
B. Someone has configured an unauthorized SMTP application over SSL.
C. A connection from the database to the web front end is communicating on the port.
D. The server is receiving a secure connection using the new TLS 1.3 standard.
Q195.An organization has not had an incident for several months. The Chief Information Security Officer wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting
Q196.A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst’s goal?
A. To create a system baseline
B. To reduce the attack surface
C. To optimize system performance
D. To improve malware detection
Q197.Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?
A. To identify weaknesses in an organization’s security posture
B. To identify likely attack scenarios within an organization
C. To build a business continuity plan for an organization
D. To build a network segmentation strategy
Q198.An organization has specific technical risk mitigation configurations that must be implemented before a new server can be approved for production. Several critical servers were recently deployed with the antivirus missing, unnecessary ports disabled, and insufficient password complexity. Which of the following should the analyst recommend to prevent a recurrence of this risk exposure?
A. Perform password-cracking attempts on all devices going into production
B. Perform an Nmap scan on all devices before they are released to production
C. Perform antivirus scans on all devices before they are approved for production
D. Perform automated security controls testing of expected configurations prior to production
Q199.Understanding attack vectors and integrating intelligence sources are important components of:
A. a vulnerability management plan.
B. proactive threat hunting.
C. risk management compliance.
D. an incident response plan.
Q200.A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.
Which of the following commands would MOST likely indicate if the email is malicious?
A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep “
Which of the following technologies would MOST likely be used to prevent this phishing attempt?
Q202.An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web application.
The working hypothesis is as follows:
✑ Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target.
✑ The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services.
✑ The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.
As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL injection attacks. Which of the following BEST represents the technique in use?
A. Improving detection capabilities
B. Bundling critical assets
C. Profiling threat actors and activities
D. Reducing the attack surface area
Q203.The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:
A. web servers on private networks
B. HVAC control systems
D. firewalls and UTM devices
Q204.A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.
Which of the following would be BEST to implement to alleviate the CISO’s concern?
C. Test data
Q205.A SIEM analyst receives an alert containing the following URL: http:/companywebsite.com/displayPicture?filenamE=../../../../etc/passwd
Which of the following BEST describes the attack?
A. Password spraying
B. Buffer overflow
C. Insecure object access
D. Directory traversal
Q206.A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment. Which of the following is the BEST solution?
A. Virtualize the system and decommission the physical machine.
B. Remove it from the network and require air gapping.
C. Implement privileged access management for identity access.
D. Implement MFA on the specific system.
Q207.After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy
Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue?
A. Privilege management
B. Group Policy Object management
C. Change management
D. Asset management
Q208.A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?
A. Deploy an edge firewall.
B. Implement DLP.
C. Deploy EDR.
D. Encrypt the hard drives.
Q209.During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?
A. Warn the incident response team that the server can be compromised.
B. Open a ticket informing the development team about the alerts.
C. Check if temporary files are being monitored.
D. Dismiss the alert, as the new application is still being adapted to the environment.
Q210.Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.)
A. Message queuing telemetry transport does not support encryption.
B. The devices may have weak or known passwords.
C. The devices may cause a dramatic increase in wireless network traffic.
D. The devices may utilize unsecure network protocols.
E. Multiple devices may interfere with the functions of other IoT devices.
F. The devices are not compatible with TLS 1.2.
Q211.An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise.
Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Sign up for vendor emails and create firmware update change plans for affected devices.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Q212.Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?
A. Moving to a cloud-based environment
B. Migrating to locally hosted virtual servers
C. Implementing non-repudiation controls
D. Encrypting local database queries
Q213.A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish by adding these sources?
A. Data enrichment
B. Continuous integration
C. Machine learning
D. Workflow orchestration
Q214.While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor?
C. Insider threat
D. Organized crime
Q215.A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types of testing does this describe?
A. Acceptance testing
B. Stress testing
C. Regression testing
D. Penetration testing
Q216.A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.
Which of the following is the MOST appropriate threat classification for these incidents?
A. Known threat
B. Zero day
C. Unknown threat
D. Advanced persistent threat
Q217.An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization’s production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?
A. Segment the network to constrain access to administrative interfaces.
B. Replace the equipment that has third-party support.
C. Remove the legacy hardware from the network.
D. Install an IDS on the network between the switch and the legacy equipment.
Q218.A pharmaceutical company’s marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.
Which of the following data privacy standards does this violate?
A. Purpose limitation
C. Data minimization
Q219.Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?
A. Input validation
B. Output encoding
C. Parameterized queries
Q220.The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Q221.A hybrid control is one that:
A. is implemented differently on individual systems
B. is implemented at the enterprise and system levels
C. has operational and technical components
D. authenticates using passwords and hardware tokens
Q222.An organization’s Chief Information Security Officer (CISO) has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers. Which of the following is a benefit of having these communication plans?
A. They can help to prevent the inadvertent release of damaging information outside the organization.
B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase.
C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected.
D. They can help to keep the organization’s senior leadership informed about the status of patching during the recovery phase.
Q223.A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS. Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?
A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control traffic
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway
Q224.Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?
A. Input validation
B. SQL injection
C. Parameterized queries
D. Web-application firewall
E. Multifactor authentication
Q225.A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor?
A. Establish an NDA with the vendor.
B. Enable data masking of sensitive data tables in the database.
C. Set all database tables to read only.
D. Use a de-identified data process for the development database
Q226.A host is spamming the network unintentionally. Which of the following control types should be used to address this situation?
Q227.While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:
✑ All sensitive data must be classified.
✑ All sensitive data must be purged on a quarterly basis.
✑ Certificates of disposal must remain on file for at least three years.
This framework control is MOST likely classified as:
Q228.A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
Q229.A company’s security administrator needs to automate several security processes related to testing for the existence of changes within the environment.
Conditionally, other processes will need to be created based on input from prior processes. Which of the following is the BEST method for accomplishing this task?
A. Machine learning and process monitoring
B. Continuous integration and configuration management
C. API integration and data enrichment
D. Workflow orchestration and scripting
You are a penetration tester who is reviewing the system hardening guidelines for a company’s distribution center. The company’s hardening guidelines indicate the following:
✑ There must be one primary server or service per device.
✑ Only default ports should be used.
✑ Non-secure protocols should be disabled.
✑ The corporate Internet presence should be placed in a protected subnet.
Using the tools available, discover devices on the corporate network and the services that are running on these devices.
You must determine:
✑ The IP address of each device.
✑ The primary server or service of each device.
✑ The protocols that should be disabled based on the hardening guidelines.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Q231.Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks?
A. It demonstrated the organization’s mitigation of risks associated with internal threats.
B. It serves as the basis for control selection.
C. It prescribes technical control requirements.
D. It is an input to the business impact assessment.
Q232.A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?
A. The extended support mitigates any risk associated with the software.
B. The extended support contract changes this vulnerability finding to a false positive.
C. The company is transferring the risk for the vulnerability to the software vendor.
D. The company is accepting the inherent risk of the vulnerability.
Q233.Which of the following BEST explains hardware root of trust?
A. It uses the processor security extensions to protect the OS from malicious software installation.
B. It prevents side-channel attacks that can take advantage of speculative execution vulnerabilities.
C. It ensures the authenticity of firmware and software during the boot process until the OS is loaded.
D. It has been implemented as a mitigation to the Spectre and Meltdown hardware vulnerabilities.
Q234.A company wants to outsource a key human-resources application service to remote employees as a SaaS-based cloud solution. The company’s GREATEST concern should be the SaaS provider’s:
A. SLA for system uptime.
B. DLP procedures.
C. logging and monitoring capabilities.
D. data protection capabilities.
Q235.A security analyst is reviewing the network security monitoring logs listed below:
Which of the following is the analyst MOST likely observing? (Choose two.)
A. 10.1.1.128 sent potential malicious traffic to the web server.
B. 10.1.1.128 sent malicious requests, and the alert is a false positive.
C. 10.1.1.129 successfully exploited a vulnerability on the web server.
D. 10.1.1.129 sent potential malicious requests to the web server.
E. 10.1.1.129 sent non-malicious requests, and the alert is a false positive.
F. 10.1.1.130 can potentially obtain information about the PHP version.
Q236.A company’s data is still being exfiltered to business competitors after the implementation of a DLP solution. Which of the following is the most likely reason why the data is still being compromised?
A. Printed reports from the database contain sensitive information
B. DRM must be implemented with the DLP solution
C. Users are not labeling the appropriate data sets
D. DLP solutions are only effective when they are implemented with disk encryption
Q237.A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.
Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?
A. Attack vectors
B. Adversary capability
C. Diamond Model of Intrusion Analysis
D. Kill chain
E. Total attack surface
Q238.A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?
A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance
Q239.An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.
Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?
E. CAN bus
Q240.A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner. Which of the following frameworks would BEST apply in this situation?
A. Pyramid of Pain
B. MITRE ATT&CK
C. Diamond Model of Intrusion Analysis
D. CVSS v3.0