COMPTIA CYSA+ CS0-002 PRACTICE EXAM | QUESTIONS & ANSWERS (VERIFIED) | LATEST UPDATE | GRADED A+

Page 1 of 38 COMPTIA CYSA+ CS0-002 PRACTICE EXAM | QUESTIONS & ANSWERS (VERIFIED) | LATEST UPDATE | GRADED A+ A cybersecurity analyst receives a phone call from an unknown person with the number blocked on the caller ID. After starting conversation, the caller begins to request sensitive information. Which of the following techniques is being applied? A. Social engineering B. Phishing C. Impersonation D. War dialing Correct Answer: A Which of the following is the main benefit of sharing incident details with partner organizations or external trusted parties during the incident response process? A. It facilitates releasing incident results, findings and resolution to the media and all appropriate government agencies B. It shortens the incident life cycle by allowing others to document incident details and prepare reports. Page 2 of 38 C. It enhances the response process, as others may be able to recognize the observed behavior and provide valuable insight. D. It allows the security analyst to defer incident-handling activities until all parties agree on how to proceed with analysis. Correct Answer: C The security analyst determined that an email containing a malicious attachment was sent to several employees within the company, and it was not stopped by any of the email filtering devices. An incident was declared. During the investigation, it was determined that most users deleted the email, but one specific user executed the attachment. Based on the details gathered, which of the following actions should the security analyst perform NEXT? A. Obtain a copy of the email with the malicious attachment. Execute the file on another user's machine and observe the behavior. Document all findings. B. Acquire a full backup of the affected machine. Reimage the machine and then restore from the full backup. C. Take the affected machine off the network. Review local event logs looking for activity and processes related to unknown or unauthorized software. D. Take possession of the machine. Apply the latest OS updates and fir Correct Answer: C Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation? Page 3 of 38 A. strings B. sha1sum C. file D. dd E. gzip Correct Answer: B Given the following logs: Aug 18 11:00:57 comptia sshd[5657]: Failed password for root from 10.10.10.192 port 38980 ssh2 Aug 18 23:08:26 comptia sshd[5768]: Failed password for root from 18.70.0.160 port 38156 ssh2 Aug 18 23:08:30 comptia sshd[5770]: Failed password for admin from 18.70.0.160 port 38556 ssh2 Aug 18 23:08:34 comptia sshd[5772]: Failed password for invalid user asterisk from 18.70.0.160 port 38864 ssh2 Aug 18 23:08:38 comptia sshd[5774]: Failed password for invalid user sjobeck from 10.10.1.16 port 39157 ssh2 Aug 18 23:08:42 comptia sshd[5776]: Failed password for root from 18.70.0.160 port 39467 ssh2 Which of the following can be suspected? A. An unauthorized user is trying to gain access from 10.10.10.192. Page 4 of 38 B. An authorized user is trying to gain access from 10.10.10.192. C. An authorized user is trying to gain access from 18.70.0.160. D. An unauthorized user is trying to gain access from 18.70.0.160 Correct Answer: D A security analyst has been asked to review permissions on accounts within Active Directory to determine if they are appropriate to the user's role. During this process, the analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate? A. Cross-site scripting B. Session hijack C. Privilege escalation D. Rootkit Correct Answer: C In the last six months, a company is seeing an increase in credential-harvesting attacks. The latest victim was the chief executive officer (CEO). Which of the following countermeasures will render the attack ineffective? A. Use a complex password according to the company policy. B. Implement an intrusion-prevention system. C. Isolate the CEO's computer in a higher security zone. D. Implement multifactor authentication. Correct Answer: D Page 5 of 38 After a security breach, it was discovered that the attacker had gained access to the network by using a brute-force attack against a service account with a password that was set to not expire, even though the account had a long, complex password. Which of the following could be used to prevent similar attacks from being successful in the future? A. Complex password policies B. Account lockout C. Self-service password reset portal D. Scheduled vulnerability scans Correct Answer: B A security analyst wants to capture data flowing in and out of a network. Which of the following would MOST likely assist in achieving this goal? A. Taking a screenshot. B. Analyzing network traffic and logs. C. Analyzing big data metadata. D. Capturing system image. Correct Answer: B There are reports that hackers are using home thermostats to ping a national service provider without the provider's knowledge. Which of the following attacks is occurring from these devices? Page 6 of 38 A. IoT B. DDoS C. MITM D. MIMO Correct Answer: B Which of the following is the purpose of a SIEM solution? A. To provide real-time security analysis and alerts generated within the security system. B. To provide occasional updates on global security breaches C. To act as an attack vector D. To act as an intrusion prevention system Correct Answer: A An actor with little to no knowledge of the tools they use to carry out an attack is known as which of the following? A. White hat B. Black hat C. Attack vector D. Script kiddie Correct Answer: D Page 7 of 38 Which one of the following does NOT accurately portray the attributes of an Advanced Persistent Threat (APT) attack? A. They often exploit unknown vulnerabilities B. They typically use freely available attacking tools to cut down on costs. C. They target large or government organization D. They use sophisticated means to gain access to highly valued resources Correct Answer: B Which of the following are the Security intelligence data elements that assure quality of the data? (Choose three) A. Accuracy B. Proprietary C. Relevance D. Timeliness Correct Answer: ACD The process of combing through collected data to gather relevant and accurate intelligence data is referred to as _____ according to the intelligence cycle. A. Collection B. Dissemination C. Feedback D. Analysis Correct Answer: D Page 8 of 38 Which of the following ports would you close if your sever does not host any DNS services? A. 22 B. 53 C. 443 D. 80 Correct Answer: B The Security team advises that there's a server running a legacy software supported by some of the applications within the organization. Upon review, management realizes the potential loss from the risk isn't great enough to warrant spending money to avoid it. This form of response is known as which of the following? A. Compensation Control B. Risk acceptance C. Risk avoidance D. Remediation Correct Answer: B A critical vulnerability is between which range on CVSS? A. 4.0-7.0 B. 3.9-5.0 C. 0.0-10.0 Page 9 of 38 D. 9.0-10.0 Correct Answer: D An attacker collects information about a target from sources such as LinkedIn, Twitter, and the target's website. This form of reconnaissance is known as which of the following? A. Active reconnaissance B. Passive reconnaissance C. Native reconnaissance D. None of the above options Correct Answer: B When defining a scope to scan, which of the following should you use? (Choose two) A. An IP range B. A gateway C. A single IP D. A subnet mask only Correct Answer: AC Which of the following is NOT a factor that can inhibit remediation? A. Legacy Systems B. SLA C. MOU Page 10 of 38 D. Employment Contract Correct Answer: D Which of the following will define a scope to scan? Choose two. A. 192.168.10.1 B. 192.168.88.1/24 C. 127.0.0.1 D. 169.254.10.1 Correct Answer: AB Your company is requesting you to assess the extent to which a client's data was compromised in an incident. What analysis are you required to perform? A. MOU B. IIA C. SLA D. PII Correct Answer: B Which of the following would be used to de-authenticate devices connected to a wireless access point? A. -0 B. -c C. 5 Page 11 of 38 D. -a Correct Answer: A To prevent memory compromise and subsequent overflow attacks in operating systems, which OS feature must be available? A. UEFI B. Boot Security C. HIPS D. ASLR Correct Answer: D Which firewall option would allow an administrator to permit an application into an organization's network? A. Whitelisting B. Filtering C. Port Security D. Blacklisting Correct Answer: A The command "Mac Address Sticky" uses physical addresses to restrict and provide network access to the device. True or false? Correct Answer: T Page 12 of 38 Which of the following is a threat associated with operating in the cloud? A. Unsecure-Wi-Fi B. Malicious insider C. Bluejacking D. Evil Twin Correct Answer: B Which of the following practices are likely to put corporate systems at risk? A. CIA B. Patching C. MDM D. BYOD Correct Answer: D A unique feature of a hybrid cloud is the combination of a private and public cloud. True or false? Correct Answer: T Which mobile security standard allows an organization to manage mobile devices? A. MDM B. BYOD C. SSH D. CAN bus Page 13 of 38 Correct Answer: A Which of the following are fundamentals of MFA? (Choose three) A. Something you have, such a one time pin B. Something you know, such as a password C. Something you do, such as a sport D. Something you are, such as biometrics Correct Answer: ABD In which of the following can the attacker use ARP Poisoning to compromise systems? A. LAN B. Bluetooth C. WAN D. None of the above Correct Answer: A Locking is an effective mitigative measure again race condition attacks. True or false? Correct Answer: T You are informed that the recently hired junior accountant within your organization has had her device compromised after clicking on a link within an email that was seemingly sent from the head of accounting department. What type of attack would the junior accountant been a victim of? Page 14 of 38 A. Phishing attack B. SQL Injection C. DDOS attack D. MITM attack Correct Answer: A Which security concerns are more easily implemented in the cloud? (Choose three) A. Data locality B. Physical security C. Customization D. Regulatory compliance E. API access Correct Answer: BDE A Cloud Access Security Broker is a piece of software that does which of the following? A. Introduces new vulnerabilities B. Prices cloud services C. Sits between your Cloud and on-premises deployments D. Reduces security complexity Correct Answer: C Hardware IDs (such as serial numbers) are often tagged onto assets by which method? A. A handwritten log Page 15 of 38 B. They're not C. A physical tag or sticker D. An external database Correct Answer: C Good change management includes which of the following features? (Choose three) A. Change identification B. Regulatory reporting C. Life-cycle tracking D. Review E. A shared spreadsheet Correct Answer: ACD Network segmentation can mitigate the risk of a vulnerability spreading beyond its initial attack vector. True or false? Correct Answer: T Which architecture represents a cloud deployment that's isolated from other public users of that same cloud infrastructure? A. Firewall B. Virtual private clouds (VPC) C. Serverless computing D. Software-defined networking (SDN) Page 16 of 38 Correct Answer: B Server virtualization introduces security vulnerabilities by sharing underlying hardware with other virtual machines. True or false? Correct Answer: F Which feature of a system is shared by all containers running on that system? A. Memory space B. Disk space C. Operating system kernel D. Network ports Correct Answer: C Which important access control feature is used by both RBAC and ABAC? A. Permissions assigned to roles B. Permissions assigned directly to users C. Principle of Least Privilege D. Permissions derived from attributes Correct Answer: C Account credentials should be encrypted both in-transit and at-rest by default. True or false? Correct Answer: T Page 17 of 38 A username and password authentication scheme is considered "Multi-Factor Authentication" because the username and password represent the two different factors. True or false? Correct Answer: F A Honeypot has which of the following features? (Choose three) A. Excludes any sensitive data B. An easy target C. Isolated from secure systems D. Automatically blocks known attack vectors Correct Answer: ABC Documentation for software assurance come in which forms? A. Standard Operating Procedures and Information Assurance Plans B. Regulatory Oversight C. Stackoverflow Queries D. Continuous Integration / Continuous Deployment Correct Answer: A Challenges for assuring mobile software include which of the following? (Choose three) A. Device Aesthetics B. Connectivity Page 18 of 38 C. Physical Size D. Limited Resources E. User Education Correct Answer: BCD Web applications are often exposed over the public internet and this introduces additional security concerns. True or false? Correct Answer: T Which trait is mostly unique to firmware? A. Publicly available B. Deployed on the Web C. Easily assured D. Tight coupling to the hardware Correct Answer: D Which stage of the SDLC should Software Assurance be introduced at? A. Every stage B. Design C. Testing D. Deployment Correct Answer: A Page 19 of 38 DevSecOps means integrating security assurance into the entire DevOps process and pipeline. True or false? Correct Answer: T Which testing is the most discrete form of testing and often automated as part of a CI/CD pipeline? A. Unit Testing B. Integration Testing C. User Acceptance Testing D. Penetration Testing Correct Answer: A You should classify all data input sources as which of the following? A. Trusted or Untrusted B. Public or Private C. High or Low D. Internal or External Correct Answer: A Secure credentials are stored in which form? A. With two-way encryption B. They're never stored C. Plain text Page 20 of 38 D. Salted and Hashed Correct Answer: D SAST tools can review your code while it's executing to identify flaws or vulnerabilities. True or false? Correct Answer: F Pros of dynamic analysis tools include which of the following? (Choose three) A. Provides a real-use view B. Are simple to configure and use C. Have a limited variety in options D. Captures information at a discrete level E. Identifies distinct flaws from SAST Correct Answer: ADE SAML relies on which format for data transfer? A. XML B. Speech-to-Text C. CSV D. JSON Correct Answer: A Which type of Root of Trust is hardwired into the PCB or system board of a system? Page 21 of 38 A. USB Dongle B. Certificate Authority C. TPM D. HSM Correct Answer: C An eFuse bit can only be written to a single time. True or false? Correct Answer: T UEFI provides the necessary functionality for which system level process? A. Secure Boot B. Boot Loaders C. BIOS D. Anti-virus software Correct Answer: A Which boot process validates each successive piece of software as they start and halts if invalid software is discovered? A. Measured Boot B. UEFI C. Secure Boot D. Bus Encryption Correct Answer: C Page 22 of 38 Which types of data are TEEs used to secure? (Choose three) A. DRM Controls B. Payment/PCI Data C. Virus or Malware Definitions D. Biometric Data E. OS Versioning Correct Answer: ABD Match the two types of keys with their purpose. 1. User password to unlock the drive 2. Private key used to secure data A. Authentication Key B. Data Encryption Key Correct Answer: AB Which of the following would be a part of heuristic analysis? (Choose two) A. Code analysis of unexecuted files B. Observing patterns in attack vectors on an institution C. Observing code execution in a sandbox D. Noting relationships between network traffic and malware Correct Answer: AC Page 23 of 38 Which type of security log would be most useful in order to determine the centrally cached web sites? A. Syslog Server log B. Windows Security Event Log C. Proxy Server Syslog D. Proxy Server Log Correct Answer: D Which command-line tool is used to send the results of an onscreen command to a text file? A. > B. | C. D. < Correct Answer: A Which of the following is the most basic initial function of a SIEM system? A. Correlation via rules B. Log aggregation dashboard C. Artificial Intelligence D. Security Orchestration and Automation Response Correct Answer: B Page 24 of 38 Which log is associated with tracking both successful and failed authentication attempts on a Linux operating system? A. B. faillog C. security event log D. syslog Correct Answer: A Which type of network analysis decodes the content of packets to see the application data moving through the network? A. Flow Analysis B. DNS Analysis C. Protocol Analysis D. Packet Analysis Correct Answer: D Which form of email security infrastructure specifically focuses on digital signatures of outbound email from a mail server? A. DNS B. DMARC C. DKIM D. SPF Page 25 of 38 Correct Answer: C Which type of email-related concern escalates most of the other security concerns? A. Embedded links B. Forwarder redirection C. Social engineering D. Attachments Correct Answer: C Which type of impact is best described as the impact to the data within a company? A. Local B. Organizational C. Total D. Immediate Correct Answer: A Which permissions would let someone view and launch a file that used memory triggering a CPU process? (Choose two) A. Delete B. Permissions C. Read D. Write E. Execute Page 26 of 38 Correct Answer: CE Which of the following are the best candidates for a blacklist? (Choose two) A. Firewalls B. Network ACLs C. Malware D. Malicious traffic patterns E. Permissions Correct Answer: CD Regarding firewall passwords, which of the following typically cause the greatest vulnerabilities? (Choose two) A. Config files B. Updates C. Zones D. Defaults E. Rules Correct Answer: AD When IPS traffic is allowed through to the network when it should have been blocked, it's referred to as which of the following? A. False negative B. False positive Page 27 of 38 C. Out-of-band enforcement D. Baseline Correct Answer: A Which of the following are likely areas of management in a Data Loss Prevention system? (Choose three) A. Printing B. Permissions C. Email D. Software E. User Authentication Correct Answer: ACD Which location is typical for an EDR agent installation? A. Firewall B. Virtual Server C. Router D. Switch Correct Answer: B Which element of a NAC topology best describes a layer 2 switch? A. Authentication Server B. Supplicant Page 28 of 38 C. Internet of Things D. Authenticator Correct Answer: D Which security infrastructure element is added in order to redirect endpoints to a new destination? A. Sinkhole B. Sandbox C. Honeynet D. Honeypot Correct Answer: A Which of the following is the most valuable resource in proactive threat management? A. Firewalls B. People C. Artificial Intelligence D. Intrusion Detection Systems Correct Answer: B Why do we need to learn about current threats in order to develop an accurate hypothesis to investigate? (Choose three) A. Procedures B. Policies Page 29 of 38 C. Titles D. Techniques E. Tactics Correct Answer: ADE Which type of advanced persistent threat actor is known for having large resources and wanting to affect disruption in a foreign country? A. Hacktivist B. Cyber Criminal C. Nation State D. Cyber-Terrorist Correct Answer: C Order the threat hunting step appropriately. A. Envision the Attack B. Keep Learning C. Look for Attacks D. Know Thyself Correct Answer: DACB Which of the following is associated most with network controls rather than endpoint controls? A. Change defaults Page 30 of 38 B. Deny all ports and protocols C. Containerization D. Desired State Configuration Correct Answer: B Which of the following is the most valid definition of an attack vector? A. A method of attack B. Exploited vulnerabilities C. Agents of potential harm to an enterprise D. Malware Correct Answer: A Which of the following is the most accurate description of a system that gathers vast quantities of data through neural networks? A. Machine Learning B. Artificial Intelligence C. Deep Learning D. Natural Intelligence Correct Answer: C Which security protocol is associated with public key infrastructure (PKI) as it applies to automation? A. Common Platform Enumeration (CPE) Page 31 of 38 B. Extensible Configuration Checklist Description Format (XCCDF) C. Trust Model for Security Automation Data (TMSAD) D. Open Vulnerability Language (OVAL) Correct Answer: C Which of the following is an element of Security Orchestration Automation and Response (SOAR)? (Choose two) A. Perform action steps with integrated systems B. Examine log for patterns C. Collect incoming data streams D. Capture network traffic Correct Answer: AC How do APIs allow for better security automation? A. Provide a language for scripting B. Ensure automatic updates C. Identify end users D. Read and write to software systems configurations and data Correct Answer: D Which of the following enables malware detection software to quickly recognize new variants of a strain of malware? (Choose two) A. Centralized malware databases Page 32 of 38 B. String hashes C. File hashes D. Deep learning Correct Answer: BD You're a security analyst wanting to incorporate third-party up-to-date security information into the context of machine learning that's already using content from your SIEM. Which process should be used? A. Data Deduplication B. Data Enrichment C. Data Mining D. Data Cleansing Correct Answer: B Which of the following is the best description of a methodology involving regular small incremental changes over the lifespan of a piece of software? A. Continuous Delivery B. Continuous Integration C. Continuous Deployment D. Security Automation Correct Answer: B Page 33 of 38 An incident response process is a methodology providing guidance on handling of cyber threats and breaches. True or false? Correct Answer: T According to the NIST framework, what are the four objectives of incident response? (Choose four) A. Preparation B. Classification C. Containment, eradication, and recovery D. Detection and analysis E. Post-incident activity Correct Answer: ACDE A junior network analyst is monitoring network usage when he notices a huge usage on outbound network traffic. The traffic usage indicates a recent spiked bandwidth that has not been recorded. How would the analyst categorize this information? A. Employees downloading torrents B. Timed out connections C. Potential indicator of compromise D. Packet loss Correct Answer: C Which of the following are categories of alerts? Choose all that apply. Page 34 of 38 A. Informational B. Partial C. Medium D. Critical Correct Answer: ACD Which of the following is NOT a post incident activity? A. Lesson learned report B. Incident response planning C. Evidence retention D. Incident summary report Correct Answer: B A company has been sued by a client concerned about his personal information after a breach. The company would like to coordinate this process using the right channel. Which entity would the company appoint to correspond with the aggrieved client? A. Legal B. Human resources C. Law enforcement D. Public relations Correct Answer: A Which of the following indicates the presence of a rogue device on the network? Page 35 of 38 A. Processor Consumption B. Evil Twin C. Registry Changes D. Memory Consumption Correct Answer: B The process by which intrusion detection and prevention systems store hash values and compare them to detect changes is known as which of the following? A. File Security Check B. File Compromise Check C. File Test Check D. File Integrity Check Correct Answer: D Which of the following represents the correct syntax for returning 10 times the output of captured traffic? A. Sudo tcpdump -1 eth0 -c 10 B. Sudo tcpdump -c eth0 -i 10 C. Sudo eth0 -1 10 -c eth0 D. Sudo tcpdump -i eth0 -c 10 Correct Answer: D Page 36 of 38 You are only interested viewing SSH traffic on a specific network interface, which Wireshark feature would help achieve that? A. Analyze B. Capture C. Filter D. View Correct Answer: C Which of the following are examples of a hash function? (Choose two) A. SHA256 B. MD5 C. CertUtil D. Cain and Abel Correct Answer: AB Your organization's Chief Information Officer requests you to record the handling process of all the devices and evidence used during a forensic investigation. Which document would you formulate to carry out the exercise? A. Legal hold B. Chain of custody C. Case study D. Service level agreement Correct Answer: B Page 37 of 38 Why is it important to determine the business impact of an exploited vulnerability when planning risk mitigation? A. It determines the risk magnitude B. It determines the risk probability C. It determines the membership of the white tabletop team D. It determines the security controls implemented Correct Answer: A Which security tool would best be described as the specific how-to documentation for mitigating risk? A. Control B. Procedure C. Framework D. Policy Correct Answer: B Which standard is used to standardize the level of security provided when housing credit card information? A. HIPAA B. PCI DSS C. ISO 27001 D. FISMA Page 38 of 38 Correct Answer: B Which control helps to ensure data privacy by ensuring that as little data as feasible is initially collected? A. Data Minimization B. Retention Policy C. Data Sovereignty D. Classification Correct Answer: A Which control is used to hide data by relocating actual private data and then providing a pointer for the software to track down that securely held data when needed? A. Tokenization B. Digital Rights Management (DRM) C. Data Masking D. Deidentification Correct Answer: A