CompTIA CySA+ (CS0-002) Complete Solution Graded A

CompTIA CySA+ (CS0-002) Complete Solution Graded A An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams? A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file D. A Windows attribute that can be used by attackers to hide malicious files within system memory - D. A Windows attribute that can be used by attackers to hide malicious files within system memory An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis. B. Have the internal development team script connectivity and file transfers to the new service. C. Create a dedicated SFTP site and schedule transfers to ensure file transport security. D. Utilize the cloud product's API for supported and ongoing integrations. - D. Utilize the cloud product's API for supported and ongoing integrations Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident? A. SSO B. DLP C. WAF D. VDI - B. DLP A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality. Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing? A. Deidentification B. Encoding C. Encryption D. Watermarking - A. Deidentification Which of the following are components of the intelligence cycle? (Select TWO). A. Collection B. Normalization C. Response D. Analysis E. Correction F. Dissension - A. Collection D. Analysis During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry - A. The system memory A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management - C. Multifactor authentication An organization wants to move non-essential services into a cloud computing Environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome? A. Duplicate all services in another instance and load balance between the instances. B. Establish a hot site with active replication to another region within the same cloud provider C. Set up a warm disaster recovery site with the same cloud provider in a different region. D. Configure the systems with a cold site at another cloud provider that can be used for failover. - C. Set up a warm disaster recovery site with the same cloud provider in a different region. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is . The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task? A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. B. Add TXT @ "v=spfl mx include:_ -all" to the email server. C. Add TXT @ "v=spfl mx include:_ -all" to the domain controller. D. Add TXT @ "v=spfl mx include:_ -all" to the web server. - A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities. Which of the following would be BEST to implement to alleviate the CISO's concern? A. DLP B. Encryption C. Test data D. NDA - C. Test data A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application. B. Implement a software repository management tool. C. Install a HIPS on the server. D. Instruct the developers to use input validation in the code. - B. Implement a software repository management tool. Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks? A. It demonstrates the organization's mitigation of risks associated with internal threats. B. It serves as the basis for control selection. C. It prescribes technical control requirements D. It is an input to the business impact assessment - B. It serves as the basis for control selection. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement: A. federated authentication. B. role-based access control. C. manual account reviews D. multifactor authentication. - A. federated authentication A security analyst had received information from a third-party intelligence-sharing resource that indicates employee accounts were breached. Which of the following is the NEXT step the analyst should take to address the issue? A. Audit access permissions for all employees to ensure least privilege B. Force a password reset for the impacted employees and revoke any tokens. C. Configure SSO to prevent passwords from going outside the local network. D. Set up prevailed access management to ensure auditing is enabled - B. Force a password reset for the impacted employees and revoke any tokens. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode - A. Compatibility mode A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs. B. Moving the FPGAs between development sites will less the time that is available for security testing. C. Development phases occurring at multiple sites may produce change management issues. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. - D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. During routing monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries IP 192.168.50.2 for a 24-hour period: Time SRC DST Domain Bytes 6/26/19 10:01 192.168.50.2 138.10.2.5 50 6/26/19 11:05 192.168.50.2 138.10.2.5 1000 6/26/19 13:09 192.168.50.2 138.10.25.5 1000 6/26/19 15:13 192.168.50.2 172.10.2.5 1000 6/26/19 17:17 192.168.50.2 138.10.45.5 1000 6/26/19 23:45 192.168.50.2 172.10.3.5 50000 6/27/19 10:21 192.168.50.2 138.35.2.5 25 6/27/19 11:25 192.168.50.2 138.35.2.5 25