CS0-002 CompTIA CySA+ Online Prep Questions

11. When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

12. A company wants to establish a threat-hunting team.

Which of the following BEST describes the rationale for integration intelligence into hunt operations?

13. A security analyst is reviewing a suspected phishing campaign that has targeted an organisation. The organization has enabled a few email security technologies in the last year: however, the analyst believes the security features are not working.

The analyst runs the following command:

> dig domain._domainkey.comptia.orq TXT

Which of the following email protection technologies is the analyst MOST likely validating?

14. A company recently experienced a break-in whereby a number of hardware assets were stolen through unauthorized access at the back of the building.

Which of the following would BEST prevent this type of theft from occurring in the future?

15. A forensic analyst took an image of a workstation that was involved in an incident To BEST ensure the image is not tampered with me analyst should use:

16. During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation .

Which of the following would cause the analyst to further review the incident?

A)





B)





C)





D)





E)

17. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

18. Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.

Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

19. While preparing of an audit of information security controls in the environment an analyst outlines a framework control that has the following requirements:

• All sensitive data must be classified

• All sensitive data must be purged on a quarterly basis

• Certificates of disposal must remain on file for at least three years This framework control is MOST likely classified as:

20. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

21. An analyst performs a routine scan of a host using Nmap and receives the following output:





Which of the following should the analyst investigate FIRST?

22. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?

23. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:





The analyst runs the following command next:





Which of the following would explain the difference in results?

24. An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company.

Which of the following technical controls would BEST accomplish this goal?

25. A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.

When conducting the scan, the analyst received the following code snippet of results:





Which of the following describes the output of this scan?

26. A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.

Which of the following BEST describes this attack?

27. A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of domains and IPs and became infected with malware.

Which of the following is the MOST appropriate action to take in the situation?

28. Which of the following BEST articulates the benefit of leveraging SCAP in an organization’s cybersecurity analysis toolset?

29. A Chief Security Officer (CSO) is working on the communication requirements (or an organization's incident response plan.

In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?

30. An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message.

In addition to retraining the employee, which of the following would prevent this from happening in the future?

31. An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used.

Which of the following commands should the analyst use?

32. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

33. During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user.





Which of the following commands should the analyst investigate FIRST?

34. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise.

Which of the following describes the type of vulnerability that was MOST likely expiated?

35. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

36. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:





Which of the following lines indicates the computer may be compromised?

37. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows:





Which of the following MOST likely occurred?

38. A hybrid control is one that:

39. A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in

40. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

41. An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

42. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

43. Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

44. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

45. Which of the following should be found within an organization's acceptable use policy?

46. A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data.

Which of the following controls should be implemented to BEST address these concerns?

47. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

48. A security analyst is investigating an incident that appears to have started with SOL injection against a publicly available web application.

Which of the following is the FIRST step the analyst should take to prevent future attacks?

49. A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures.

The analyst observes the following plugin output:





The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

50. A security analyst is reviewing the following log entries to identify anomalous activity:





Which of the following attack types is occurring?

51. After a breach involving the exfiltration of a large amount of sensitive data a security analyst is reviewing the following firewall logs to determine how the breach occurred:





Which of the following IP addresses does the analyst need to investigate further?

52. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

53. An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.

Which of the following should the analyst do NEXT?

54. Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise.

Which of the following techniques were used in this scenario?

55. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

56. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be.

57. Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

58. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

59. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account, to perform queries and look up data m a database A security analyst discovers employees are accessing data sets they have not been authorized to use.

Which of the following will fix the cause of the issue?

60. Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources.

Which of the following would be BEST to protect the availability of the APIs?

61. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings.

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

62. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

63. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

64. During an investigation, an analyst discovers the following rule in an executive’s email client:

IF * TO <executive@anycompany.com> THEN mailto: <someaddress@domain.com>

SELECT FROM ‘sent’ THEN DELETE FROM <executive@anycompany.com>

The executive is not aware of this rule.

Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

65. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:





To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

66. An analyst is reviewing the following output:





Which of the following was MOST likely used to discover this?

67. A security analyst is supporting an embedded software team.

Which of the following is the BEST recommendation to ensure proper error handling at runtime?

68. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

69. A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised.

When viewing the capture in a packet analyzer, the analyst sees the following:





Which of the following can the analyst conclude?

70. The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with:

71. A security analyst received an email with the following key:

Xj3XJ3LLc

A second security analyst received an email with following key:

3XJ3xjcLLC

The security manager has informed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance.

This is an example of:

72. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

73. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

74. D18912E1457D5D1DDCBD40AB3BF70D5D

A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.





Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

75. A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

76. An information security analyst on a threat-hunting team Is working with administrators to create a hypothesis related to an internally developed web application.

The working hypothesis is as follows:

• Due to the nature of the industry, the application hosts sensitive data associated with many clients and Is a significant target

•. The platform Is most likely vulnerable to poor patching and Inadequate server hardening, which expose vulnerable services.

•. The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.

As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SOL injection attacks.

Which of the following BEST represents the technique in use?

77. An incident response team is responding to a breach of multiple systems that contain PII and PHI.

Disclosing the incident to external entities should be based on:

78. A security analyst has a sample of malicious software and needs to know what the sample does. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

79. A company’s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user’s activity session.

Which of the following is the BEST technique to address the CISO’s concerns?

80. A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445.

Which of the following should be the team’s NEXT step during the detection phase of this response process?

81. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

82. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.



INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

83. A developer wrote a script to make names and other Pll data unidentifiable before loading a

database export into the testing system.

Which of the following describes the type of control that is being used?

84. An executive assistant wants to onboard a new cloud based product to help with business analytics and dashboarding. When of the following would be the BEST integration option for the service?

85. What is the executable file name or the malware?

86. Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads?

87. A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set of domains Management at an organization wants to know if it is a victim.

Which of the following should the security analyst recommend to identity this behavior without alerting any potential malicious actors?

88. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group.

Which of the following models would BEST apply to the situation?

89. A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner.

Which of the following frameworks would BEST apply in this situation?

90. A company just chose a global software company based in Europe to implement a new supply chain management solution.

Which of the following would be the MAIN concern of the company?

91. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.



INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

92. An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message In addition to retraining the employee, which of the following would prevent this from happening in the future?

93. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows:





Which of the following MOST likely occurred?

94. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack .The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

95. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage The security analyst is trying to determine which user caused the malware to get onto the system Which of the following registry keys would MOST likely have this information?

A)





B)





C)





D)

96. Which of the following MOST accurately describes an HSM?

97. A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured.

Which of the following should the analyst do?

98. Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

99. A developer wrote a script to make names and other Pll data unidentifiable before loading a database export into the testing system.

Which of the following describes the type of control that is being used?

100. A security analyst receives an alert that highly sensitive information has left the company's network Upon investigation, the analyst discovers an outside IP range has had connections from three servers more than 100 times m the past month. The affected servers are virtual machines.

Which of the following is the BEST course of action?

101. A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output.





Which of the following commands should the administrator run NEXT to further analyze the compromised system?

102. A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment.

Which of the following is the BEST solution?

103. Which of the following attacks can be prevented by using output encoding?

104. A security analyst is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS.

Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise'?

105. A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentially protection.

Which of the following is the BEST technical security control to mitigate this risk?

106. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement

107. As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information.

After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

108. A new on-premises application server was recently installed on the network. Remote access to the server was enabled for vendor support on required ports, but recent security reports show large amounts of data are being sent to various unauthorized networks through those ports.

Which of the following configuration changes must be implemented to resolve this security issue while still allowing remote vendor access?

109. An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours.

Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

110. As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy.

Based on the CISO's concerns, the assessor will MOST likely focus on:

111. An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company.

Which of the following technical controls would BEST accomplish this goal?

112. During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user.





Which of the following commands should the analyst investigate FIRST?

113. A company recently experienced a break-in whereby a number of hardware assets were stolen through unauthorized access at the back of the building.

Which of the following would BEST prevent this type of theft from occurring in the future?

114. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

115. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

116. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

117. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

118. A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.

Which of the following is the main concern a security analyst should have with this arrangement?

119. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:





The analyst runs the following command next:





Which of the following would explain the difference in results?

120. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

121. A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.

Which of the following BEST describes this attack?

122. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

123. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.

Which of the following is the FIRST step the analyst should take?

124. An information security analyst is compiling data from a recent penetration test and reviews the following output:





The analyst wants to obtain more information about the web-based services that are running on the target.

Which of the following commands would MOST likely provide the needed information?

125. A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.

Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)

126. An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

127. A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised.

When viewing the capture in a packet analyzer, the analyst sees the following:





Which of the following can the analyst conclude?

128. It is important to parameterize queries to prevent:

129. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:





Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

130. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

131. A security analyst has received reports of very slow, intermittent access to a public-facing corporate server.

Suspecting the system may be compromised, the analyst runs the following commands:





Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

132. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

133. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be.

134. A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

Which of the following should be done to correct the cause of the vulnerability?

135. A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:





Which of the following commands would work BEST to achieve the desired result?

136. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

137. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptia.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?