Updated 2022 - CySA+ (Plus) Cybersecurity Analyst Certification | CompTIA Exam Dumps with free CS0-002 Practice Exam Questions

1. A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:

Antivirus is installed on the remote host:

Installation path: C:\Program Files\AVProduct\Win32\ Product Engine: 14.12.101

Engine Version: 3.5.71

Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.

The engine version is out of date. The oldest supported version from the vendor is 4.2.11.

The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation?

2. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

3. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

4. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http:// schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/ XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200

0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</ a:Password><a:ResetPasswordToken+i:nil="true"/>

<a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/

><a:Username>[email protected]panyname.com</a:Username></request></Login></s:Body></ s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http:// schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http:// tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/

></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http:// schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http:// tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/ somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema- instance"><a:Authentication>

<a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</ a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</ a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</ a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></ IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 1378

1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

5. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

6. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

7. A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?

8. A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?

9. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

10. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

11. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

12. A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

13. When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

14. A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team’s NEXT step during the detection phase of this response process?

15. While analyzing logs from a WAF, a cybersecurity analyst finds the following:

“GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574%

2box3133333731,1223,1224&name=&state=IL”

Which of the following BEST describes what the analyst has found?

16. A company’s marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third party, mail.marketing.com. Below is the existing SPF record:

v=spf1 a mx -all

Which of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked?

17. A security analyst is reviewing the following web server log:

GET %2f..%2f..%2f.. %2f.. %2f.. %2f.. %2f../etc/passwd

Which of the following BEST describes the issue?

18. A hybrid control is one that:

19. After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred:

Which of the following IP addresses does the analyst need to investigate further?

20. A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?

21. The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:

22. A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following:

Which of the following should the analyst review to find out how the data was exfiltrated?

23. Which of the following BEST articulates the benefit of leveraging SCAP in an organization’s cybersecurity analysis toolset?

24. Which of the following software assessment methods would be BEST for gathering data related to an application’s availability during peak times?

25. An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment. One of the primary concerns is exfiltration of data by malicious insiders. Which of the following controls is the MOST appropriate to mitigate risks?

26. A security analyst has discovered that developers have installed browsers on all development servers in the company’s cloud infrastructure and are using them to browse the Internet. Which of the following changes should the security analyst make to BEST protect the environment?

27. An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested in a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function?

28. An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal?

29. An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs, the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

30. A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Big Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised. Which of the following is the value of this risk?

31. A security analyst is investigating a system compromise. The analyst verifies the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely exploited?

32. An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

33. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group. Which of the following models would BEST apply to the situation?

34. Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?

35. A security analyst implemented a solution that would analyze the attacks that the organization’s firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:

$ sudo nc -1 –v –e maildaemon.py 25 > caplog.txt

Which of the following solutions did the analyst implement?

36. Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

37. A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO), asking the employee to perform a wire transfer. Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails?

38. A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised. Which of the following would provide the BEST results?

39. An analyst has been asked to provide feedback regarding the controls required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls.

Which of the following should the analyst provide an assessment of?

40. A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete this task, the analyst should place the:

41. Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems?

42. Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems?

43. As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?

44. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement:

45. A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

46. A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

47. A company’s incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

48. During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

49. A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?

50. Which of the following attacks can be prevented by using output encoding?

51. The help desk provided a security analyst with a screenshot of a user’s desktop:

For which of the following is aircrack-ng being used?

52. A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)

53. A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organization. The security analyst’s BEST response would be to coordinate with the legal department and:

54. While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:

All sensitive data must be classified.

All sensitive data must be purged on a quarterly basis. Certificates of disposal must remain on file for at least three years.

This framework control is MOST likely classified as:

55. An analyst performs a routine scan of a host using Nmap and receives the following output:

Which of the following should the analyst investigate FIRST?

56. A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm’s largest client.

Which of the following is MOST likely inhibiting the remediation efforts?

57. A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis.

Which of the following did the security analyst violate?

58. A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?

59. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT?

60. Which of the following is the MOST important objective of a post-incident review?

61. An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach. Given the following output:

Which of the following should be the focus of the investigation?

62. A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?

63. A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

64. A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

65. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?

66. A company’s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user’s activity session. Which of the following is the BEST technique to address the CISO’s concerns?a

67. Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

68. A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.

Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

69. Which of the following technologies can be used to store digital certificates and is typically used in high- security implementations where integrity is paramount?

70. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability. Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system. Which of the following registry keys would MOST likely have this information?

71. Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?

72. A security analyst recently discovered two unauthorized hosts on the campus’s wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices. Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

73. Given the Nmap request below:

Which of the following actions will an attacker be able to initiate directly against this host?

74. As part of an organization’s information security governance process, a Chief Information Security Officer (CISO) is working with the compliance officer to update policies to include statements related to new regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are appropriately aware of changes to the policies?

75. During an investigation, an analyst discovers the following rule in an executive’s email client:

IF * TO <[email protected]> THEN mailto: <[email protected]> SELECT FROM ‘sent’ THEN DELETE FROM <[email protected]>

The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

76. A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?

77. An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

78. An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?