2020 New CompTIA CySA+ CS0-002 Practice Test Questions

CS0-002 Exam is the new CompTIA Cybersecurity Analyst (CySA+) Certification Exam, the previous CompTIA CySA+ CS0-001 exam is still available before Oct 2020. The CompTIA CySA+ CS0-002 Practice Test Questions of PassQuestion can ensure you pass your first time to participate in the CompTIA CySA+ certification CS0-001 exam.PassQuestion providing CompTIA CySA+ CS0-002 Practice Test Questions are very close to the content of the formal examination. Through our short-term special training You can quickly grasp IT professional knowledge, and then have a good preparation for your exam. We promise that we will do our best to help you pass the CompTIA CySA+ certification CS0-001 exam.

2020 New CompTIA CySA+ CS0-002 Practice Test Questions

1. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

FaaS

RTOS

SoC

GPS

CAN bus

2. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

Use Burp Suite to capture packets to the SCADA device’s IP.

Use tcpdump to capture packets from the SCADA device IP.

Use Wireshark to capture packets between SCADA devices and the management system.

Use Nmap to capture packets from the management system to the SCADA devices.

3. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

Human resources

Public relations

Marketing

Internal network operations center

4. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization’s production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

Segment the network to constrain access to administrative interfaces.

Replace the equipment that has third-party support.

Remove the legacy hardware from the network.

Install an IDS on the network between the switch and the legacy equipment.

5. A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs.

Which of the following is the main concern a security analyst should have with this arrangement?

Making multiple trips between development sites increases the chance of physical damage to the FPGAs.

Moving the FPGAs between development sites will lessen the time that is available for security testing.

Development phases occurring at multiple sites may produce change management issues.

FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

6. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

ICMP is being blocked by a firewall.

The routing tables for ping and hping3 were different.

The original ping command needed root permission to execute.

hping3is returning a false positive.

7. A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints.

Which of the following should the analyst do FIRST?

Write detection logic.

Establish a hypothesis.

Profile the threat actors and activities.

Perform a process analysis.

8. A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.

Which of the following BEST describes this attack?

Injection attack

Memory corruption

Denial of service

Array attack

9. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

Parameterized queries

Session management

Input validation

Output encoding

Data protection

Authentication

10. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company’s server.

Which of the following is the FIRST step the analyst should take?

Create a full disk image of the server’s hard drive to look for the file containing the malware.

Run a manual antivirus scan on the machine to look for known malicious software.

Take a memory snapshot of the machine to capture volatile information stored in memory.

Start packet capturing to look for traffic that could be indicative of command and control from the miner.

11. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be.

placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.

bridged between the IT and operational technology networks to allow authenticated access.

placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

12. Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

Input validation

Output encoding

Parameterized queries

Tokenization

13. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

File fingerprinting

Decomposition of malware

Risk evaluation

Sandboxing

14. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account, to perform queries and look up data m a database A security analyst discovers employees are accessing data sets they have not been authorized to use.

Which of the following will fix the cause of the issue?

Change the security model to force the users to access the database as themselves

Parameterize queries to prevent unauthorized SQL queries against the database

Configure database security logging using syslog or a SIEM

Enforce unique session IDs so users do not get a reused session ID

15. Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources.

Which of the following would be BEST to protect the availability of the APIs?

IP whitelisting

Certificate-based authentication

Virtual private network

Web application firewall

16. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings.

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of vulnerabilities.

Incorporate prioritization levels into the remediation process and address critical findings first.

Create classification criteria for data residing on different servers and provide remediation only for servers housing sensitive data.

Implement a change control policy that allows the security team to quickly deploy patches in the production environment to reduce the risk of any vulnerabilities found.

17. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

Post of the company blog

Corporate-hosted encrypted email

VoIP phone call

Summary sent by certified mail

Externally hosted instant message

18. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization’s financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

Social media accounts attributed to the threat actor

Custom malware attributed to the threat actor from prior attacks

Email addresses and phone numbers tied to the threat actor

Network assets used in previous attacks attributed to the threat actor

IP addresses used by the threat actor for command and control

19. During an investigation, an analyst discovers the following rule in an executive’s email client:

IF * TO <[email protected]> THEN mailto: <[email protected]>

SELECT FROM ‘sent’ THEN DELETE FROM <[email protected]>

The executive is not aware of this rule.

Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

Check the server logs to evaluate which emails were sent to <[email protected]>

Use the SIEM to correlate logging events from the email server and the domain server

Remove the rule from the email client and change the password

Recommend that management implement SPF and DKIM

20. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:

To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

DST 138.10.2.5.

DST 138.10.25.5.

DST 172.10.3.5.

DST 172.10.45.5.

DST 175.35.20.5.

21. An analyst is reviewing the following output:

Which of the following was MOST likely used to discover this?

Reverse engineering using a debugger

A static analysis vulnerability scan

A passive vulnerability scan

A web application vulnerability scan

22. A security analyst is supporting an embedded software team.

Which of the following is the BEST recommendation to ensure proper error handling at runtime?

Perform static code analysis.

Require application fuzzing.

Enforce input validation

Perform a code review

23. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

An IPS signature modification for the specific IP addresses

An IDS signature modification for the specific IP addresses

A firewall rule that will block port 80 traffic

A firewall rule that will block traffic from the specific IP addresses

24. A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised.

When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

Malware is attempting to beacon to 128.50.100.3.

The system is running a DoS attack against ajgidwle.com.

The system is scanning ajgidwle.com for PI

Data is being exfiltrated over DN

25. The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with:

web servers on private networks.

HVAC control systems

smartphones

firewalls and UTM devices

26. A security analyst received an email with the following key:

Xj3XJ3LLc

A second security analyst received an email with following key:

3XJ3xjcLLC

The security manager has informed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance.

This is an example of:

dual control

private key encryption

separation of duties

public key encryption

two-factor authentication

27. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

Risk exception

Risk avoidance

Risk tolerance

Risk acceptance

28. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

Enforce unique session IDs for the application.

Deploy a WAF in front of the web application.

Check for and enforce the proper domain for the redirect.

Use a parameterized query to check the credentials.

Implement email filtering with anti-phishing protection.

29. D18912E1457D5D1DDCBD40AB3BF70D5D

A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.

Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

Port 22

Port 135

Port 445

Port 3389

30. A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

Audit access permissions for all employees to ensure least privilege.

Force a password reset for the impacted employees and revoke any tokens.

Configure SSO to prevent passwords from going outside the local network.

Set up privileged access management to ensure auditing is enabled.

31. An information security analyst on a threat-hunting team Is working with administrators to create a hypothesis related to an internally developed web application.

The working hypothesis is as follows:

• Due to the nature of the industry, the application hosts sensitive data associated with many clients and Is a significant target

•. The platform Is most likely vulnerable to poor patching and Inadequate server hardening, which expose vulnerable services.

•. The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.

As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SOL injection attacks.

Which of the following BEST represents the technique in use?

Improving detection capabilities

Bundling critical assets

Profiling threat actors and activities

Reducing the attack surface area

32. An incident response team is responding to a breach of multiple systems that contain PII and PHI.

Disclosing the incident to external entities should be based on:

the responder’s discretion

the public relations policy

the communication plan

senior management’s guidance

33. A security analyst has a sample of malicious software and needs to know what the sample does. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

White box testing

Fuzzing

Sandboxing

Static code analysis

34. A company’s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user’s activity session.

Which of the following is the BEST technique to address the CISO’s concerns?

Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

Regularly use SHA-256 to hash the directory containing the sensitive information.
Monitor the files for unauthorized changes.

Place a legal hold on the files. Require authorized users to abide by a strict time context access policy.
Monitor the files for unauthorized changes.

Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

35. A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445.

Which of the following should be the team’s NEXT step during the detection phase of this response process?

Escalate the incident to management, who will then engage the network infrastructure team to keep them informed.

Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections.

Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.

Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.

36. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst’s goal?

To create a system baseline

To reduce the attack surface

To optimize system performance

To improve malware detection

37. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.

INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

38. A developer wrote a script to make names and other Pll data unidentifiable before loading a

database export into the testing system.

Which of the following describes the type of control that is being used?

Data encoding

Data masking

Data loss prevention

Data classification

39. An executive assistant wants to onboard a new cloud based product to help with business analytics and dashboarding. When of the following would be the BEST integration option for the service?

Manually log in to the service and upload data files on a regular basis.

Have the internal development team script connectivity and file translate to the new service.

Create a dedicated SFTP sue and schedule transfers to ensue file transport security

Utilize the cloud products API for supported and ongoing integrations

40. What is the executable file name or the malware?

41. Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads?

Stress test

API compatibility lest

Code review

User acceptance test

Input validation

42. A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set of domains Management at an organization wants to know if it is a victim.

Which of the following should the security analyst recommend to identity this behavior without alerting any potential malicious actors?

Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested

Add the domains to a DNS sinkhole and create an alert m the SIEM toot when the domains are queried

Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443

Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information

43. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group.

Which of the following models would BEST apply to the situation?

Intelligence cycle

Diamond Model of Intrusion Analysis

Kill chain

MITRE ATT&CK

44. A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner.

Which of the following frameworks would BEST apply in this situation?

Pyramid of Pain

MITRE ATT&CK

Diamond Model of Intrusion Analysts

CVSS v3.0

45. While analyzing logs from a WAF, a cybersecurity analyst finds the following:

Which of the following BEST describes what the analyst has found?

This is an encrypted GET HTTP request

A packet is being used to bypass the WAF

This is an encrypted packet

This is an encoded WAF bypass

46. Ann, a user, reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite having plenty of space recently. Ann claims she not downloaded anything.

The security team obtains the laptop and begins to investigate, noting the following:

✑ File access auditing is turned off.

✑ When clearing up disk space to make the laptop functional, files that appear to be cached web pages are immediately created in a temporary directory, filling up the available drive space.

✑ All processes running appear to be legitimate processes for this user and machine.

✑ Network traffic spikes when the space is cleared on the laptop.

✑ No browser is open.

Which of the following initial actions and tools would provide the BEST approach to determining what is happening?

Delete the temporary files, run an Nmap scan, and utilize Burp Suite.

Disable the network connection, check Sysinternals Process Explorer, and review netstat output.

Perform a hard power down of the laptop, take a dd image, and analyze with FT

Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.

47. Which of the following technologies can be used to store digital certificates and is typically used in high-security implementations where integrity is paramount?

HSM

eFuse

UEFI

Self-encrypting drive

48. A company’s modem response team is handling a threat that was identified on the network Security analysts have as at remote sites.

Which of the following is the MOST appropriate next step in the incident response plan?

Quarantine the web server

Deploy virtual firewalls

Capture a forensic image of the memory and disk

Enable web server containerization

49. It is important to parameterize queries to prevent:

the execution of unauthorized actions against a database.

a memory overflow that executes code with elevated privileges.

the establishment of a web shell that would allow unauthorized access.

the queries from using an outdated library with security vulnerabilities.

50. Which of the following is the MOST important objective of a post-incident review?

Capture lessons learned and improve incident response processes

Develop a process for containment and continue improvement efforts

Identify new technologies and strategies to remediate

Identify a new management strategy

51. Which of me following BEST articulates the benefit of leveraging SCAP in an organization’s cybersecurity analysis toolset?

It automatically performs remedial configuration changes lo enterprise security services

It enables standard checklist and vulnerability analysis expressions for automaton

It establishes a continuous integration environment for software development operations

It provides validation of suspected system vulnerabilities through workflow orchestration

52. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

email server that automatically deletes attached executables.

IDS to match the malware sample.

proxy to block all connections to <malwaresource>.

firewall to block connection attempts to dynamic DNS hosts.

53. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

FaaS

RTOS

SoC

GPS

CAN bus

54. During a review of vulnerability scan results an analyst determines the results may be flawed because a control-baseline system which is used to evaluate a scanning tools effectiveness was reported as not vulnerable Consequently, the analyst verifies the scope of the scan included the control-baseline host which was available on the network during the scan. The use of a control-baseline endpoint in this scenario assists the analyst in confirming.

verification of mitigation

false positives

false negatives

the criticality index

hardening validation.

55. As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?

Organizational policies

Vendor requirements and contracts

Service-level agreements

Legal requirements

56. A new on-premises application server was recently installed on the network. Remote access to the server was enabled for vendor support on required ports, but recent security reports show large amounts of data are being sent to various unauthorized networks through those ports.

Which of the following configuration changes must be implemented to resolve this security issue while still allowing remote vendor access?

Apply a firewall application server rule.

Whitelist the application server.

Sandbox the application server.

Enable port security.

Block the unauthorized networks.

57. A pharmaceutical company’s marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

Purpose limitation

Sovereignty

Data minimization

Retention

58. An organization suspects it has had a breach, and it is trying to determine the potential impact.

The organization knows the following:

✑ . The source of the breach is linked to an IP located in a foreign country.

✑ The breach is isolated to the research and development servers.

✑ . The hash values of the data before and after the breach are unchanged.

✑ The affected servers were regularly patched, and a recent scan showed no vulnerabilities.

Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.)

The confidentiality of the data is unaffected.

The threat is an AP

The source IP of the threat has been spoofed.

The integrity of the data is unaffected.

The threat is an insider.

59. A security analyst has discovered trial developers have installed browsers on all development servers in the company’s cloud infrastructure and are using them to browse the Internet.

Which of the following changes should the security analyst make to BEST protect the environment?

Create a security rule that blocks Internet access in the development VPC

Place a jumpbox m between the developers’ workstations and the development VPC

Remove the administrator profile from the developer user group in identity and access management

Create an alert that is triggered when a developer installs an application on a server

60. A security manager has asked an analyst to provide feedback on the results of a penetration lest.

After reviewing the results the manager requests information regarding the possible exploitation of vulnerabilities Much of the following information data points would be MOST useful for the analyst to provide to the security manager who would then communicate the risk factors to senior management? (Select TWO)

Probability

Adversary capability

Attack vector

Impact

Classification

Indicators of compromise

61. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company’s server.

Which of the following is the FIRST step the analyst should take?

Create a full disk image of the server’s hard drive to look for the file containing the malware.

Run a manual antivirus scan on the machine to look for known malicious software.

Take a memory snapshot of the machine to capture volatile information stored in memory.

Start packet capturing to look for traffic that could be indicative of command and control from the miner.

62. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

PC1

PC2

Server1

Server2

Firewall

63. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process.

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

Personnel training

Vulnerability scan

Change management

Sandboxing

64. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

Deidentification

Encoding

Encryption

Watermarking

65. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN’s fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.

Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.

Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.

Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.

66. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

HKEY_USERS<user SID>SoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_USERS<user SID>SoftwareMicrosoftWindowsexplorerMountPoints2

HKEY_USERS<user SID>SoftwareMicrosoftInternet ExplorerTyped URLs

HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogSystemiusb3hub

67. A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured.

Which of the following should the analyst do?

Shut down the computer

Capture live data using Wireshark

Take a snapshot

Determine if DNS logging is enabled.

Review the network logs.

68. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

sha256sum ~/Desktop/file.pdf

file ~/Desktop/file.pdf

strings ~/Desktop/file.pdf | grep "<script"

cat < ~/Desktop/file.pdf | grep -i .exe

69. A security analyst is attempting to utilize the blowing threat intelligence for developing detection capabilities:

In which of the following phases is this APT MOST likely to leave discoverable artifacts?

Data collection/exfiltration

Defensive evasion

Lateral movement

Reconnaissance

70. Which of the following attacks can be prevented by using output encoding?

Server-side request forgery

Cross-site scripting

SQL injection

Command injection

Cross-site request forgery

Directory traversal

71. A security analyst recently discovered two unauthorized hosts on the campus’s wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

Conduct a wireless survey to determine if the wireless strength needs to be reduced.

72. A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints.

Which of the following should the analyst do FIRST?

Write detection logic.

Establish a hypothesis.

Profile the threat actors and activities.

Perform a process analysis.

73. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

Parameterized queries

Session management

Input validation

Output encoding

Data protection

Authentication

74. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

A password-spraying attack was performed against the organization.

A DDoS attack was performed against the organization.

This was normal shift work activity; the SIEM’s AI is learning.

A credentialed external vulnerability scan was performed.

75. For machine learning to be applied effectively toward security analysis automation, it requires.

relevant training data.

a threat feed AP

a multicore, multiprocessor system.

anomalous traffic signatures.

76. Which of the following BEST describes the primary role ol a risk assessment as it relates to compliance with risk-based frameworks?

It demonstrates the organization’s mitigation of risks associated with internal threats.

It serves as the basis for control selection.

It prescribes technical control requirements.

It is an input to the business impact assessment.

77. During an investigation, an incident responder intends to recover multiple pieces of digital media.

Before removing the media, the responder should initiate:

malware scans.

secure communications.

chain of custody forms.

decryption tools.

78. Which of the following technologies can be used to house the entropy keys for task encryption on desktops and laptops?

Self-encrypting drive

Bus encryption

TPM

HSM

79. A security administrator needs to create an IDS rule to alert on FTP login attempts by root.

Which of the following rules is the BEST solution?

Option A

Option B

Option C

Option D

80. An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours.

Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

Duplicate all services in another instance and load balance between the instances.

Establish a hot site with active replication to another region within the same cloud provider.

Set up a warm disaster recovery site with the same cloud provider in a different region

Configure the systems with a cold site at another cloud provider that can be used for failover.

81. A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident.

The analyst determines backups were not performed during this time and reviews the following:

Which of the following should the analyst review to find out how the data was exfilltrated?

Monday’s logs

Tuesday’s logs

Wednesday’s logs

Thursday’s logs

82. A security architect is reviewing the options for performing input validation on incoming web form submissions.

Which of the following should the architect as the MOST secure and manageable option?

Client-side whitelisting

Server-side whitelisting

Server-side blacklisting

Client-side blacklisting

83. A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output.

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

strace /proc/1301

rpm -V openash-server

/bin/la -1 /proc/1301/exe

kill -9 1301

84. An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

Copies of prior audits that did not identify the servers as an issue

Project plans relating to the replacement of the servers that were approved by management

Minutes from meetings in which risk assessment activities addressing the servers were discussed

ACLs from perimeter firewalls showing blocked access to the servers

Copies of change orders relating to the vulnerable servers

85. A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised.

Which of the following would provide the BEST results?

Baseline configuration assessment

Uncredentialed scan

Network ping sweep

External penetration test

86. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

Known threat

Zero day

Unknown threat

Advanced persistent threat

87. Which of the following software assessment methods would be BEST for gathering data related to an application’s availability during peak times?

Security regression testing

Stress testing

Static analysis testing

Dynamic analysis testing

User acceptance testing

88. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

Compatibility mode

Secure boot mode

Native mode

Fast boot mode

89. Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus on company systems?

Code of conduct policy

Account management policy

Password policy

Acceptable use policy

90. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company’s API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 – – api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 – – api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 – – api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>”1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 – – api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients’ accounts were compromised?

The clients’ authentication tokens were impersonated and replayed.

The clients’ usernames and passwords were transmitted in cleartext.

An XSS scripting attack was carried out on the server.

A SQL injection attack was carried out on the server.

2020 New CompTIA CySA+ CS0-002 Practice Test Questions

2020 New CompTIA CySA+ CS0-002 Practice Test Questions

Leave a Reply Cancel reply