CS0-001 Free Questions – CompTIA CySA+ Certification Exam V14.02

1. A software patch has been released to remove vulnerabilities from company’s software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly.
Which of the following tests should be performed NEXT?

2. A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected.
Which of the following sources would be used to evaluate which network service was interrupted?

3. A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords.
Which of the following should the analyst implement?

4. A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company’s asset inventory is not current.
Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization?

5. A cybersecurity analyst is completing an organization’s vulnerability report and wants it to reflect assets accurately.
Which of the following items should be in the report?

6. A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops. The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console.
Which of the following scanning topologies is BEST suited for this environment?

7. An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection.
Which of the following has occurred on the workstation?

8. Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Select two.)

9. While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine.
Which of the following MOST likely happened in this situation?

10. Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company A’s conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B’s network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports.
Which of the following can be employed to allow this?

11. The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content.
Which of the following recommendations would meet the needs of the organization?

12. An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities.
Which of the following would be an indicator of a likely false positive?

13. During a routine review of firewall logs, an analyst identified that an IP address from the organization’s server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review.
Which of the following is MOST likely to drive up the incident’s impact assessment?

14. An HR employee began having issues with a device becoming unresponsive after attempting to open an email attachment. When informed, the security analyst became suspicious of the situation, even though there was not any unusual behavior on the IDS or any alerts from the antivirus software.
Which of the following BEST describes the type of threat in this situation?

15. As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW.
Which of the following types of information should be considered based on information traditionally found in the SOW? (Select two.)

16. Which of the following commands would a security analyst use to make a copy of an image for forensics use?

17. An alert has been distributed throughout the information security community regarding a critical Apache vulnerability.
Which of the following courses of action would ONLY identify the known vulnerability?

18. A cybersecurity analyst has received an alert that well-known “call home” messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages.
After determining the alert was a true positive, which of the following represents the MOST likely cause?

19. An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the hackers are sending toward the target systems without impacting the business operation.
Which of the following should the analyst implement?

20. Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement?

21. A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains.
Which of the following actions is the BEST approach for the analyst to perform?

22. An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome is unchanged.
Which of the following is the BEST logical control to address the failure?

23. A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition.
Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.)

24. A recent vulnerability scan found four vulnerabilities on an organization’s public Internet-facing IP addresses.
Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST?

25. Law enforcement has contacted a corporation’s legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach.
Which of the following steps should be taken to prevent further disclosure of information about the breach?