Practice Exam Version:
Part 1: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-1/
Part 2: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-2/
Part 3: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-3/
Part 4: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-4/
Part 5: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-5/
Part 6: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-6/
Actual Exam Version: https://awslagi.com/course-category/comptia/
Q1.A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations. Which of the following steps in the intelligence cycle is the security analyst performing?
A. Analysis and production
B. Processing and exploitation
C. Dissemination and evaluation
D. Data collection
E. Planning and direction
Q2.A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization’s data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use if a device is lost or stolen.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Q3.During routine monitoring, a security analyst identified the following enterprise network traffic:
Packet capture output:
Which of the following BEST describes what the security analyst observed?
A. 66.187.224.210 set up a DNS hijack with 192.168.12.21.
B. 192.168.12.21 made a TCP connection to 66.187.224.210.
C. 192.168.12.21 made a TCP connection to 209.132.177.50.
D. 209.132.177.50 set up a TCP reset attack to 192.168.12.21.
Q4.A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:
A. detection and prevention capabilities to improve.
B. which systems were exploited more frequently.
C. possible evidence that is missing during forensic analysis.
D. which analysts require more training.
E. the time spent by analysts on each of the incidents.
Q5.A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:
Follow TCP stream:
Which of the following describes what has occurred?
A. The host attempted to download an application from utoftor.com.
B. The host downloaded an application from utoftor.com.
C. The host attempted to make a secure connection to utoftor.com.
D. The host rejected the connection from utoftor.com.
Q6.An organization has the following policy statements:
✑ All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized content.
✑ All network activity will be logged and monitored.
✑ Confidential data will be tagged and tracked.
✑ Confidential data must never be transmitted in an unencrypted form.
✑ Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?
A. Acceptable use policy
B. Data privacy policy
C. Encryption policy
D. Data management policy
Q7.An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)
A. Pause the virtual machine.
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
E. Review host hypervisor log of the virtual machine.
F. Execute a migration of the virtual machine.
Q8.An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST step to confirm and respond to the incident?
A. Pause the virtual machine,
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
Q9.A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources. Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack
Q10.A company’s legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?
A. VDI
B. SaaS
C. CASB
D. FaaS
Q11.An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
Q12.A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company’s data?
A. Implement UEM on all systems and deploy security software.
B. Implement DLP on all workstations and block company data from being sent outside the company.
C. Implement a CASB and prevent certain types of data from being downloaded to a workstation.
D. Implement centralized monitoring and logging for all company systems.
Q13.A company’s domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the analyst finds the following: v=DMARC1; p=none; fo=0; rua=mailto:security@company.com; ruf=mailto:security@company.com; adkim=r; rf=afrf; ri=86400;
Which of the following BEST explains the reason why the company’s requirements are not being processed correctly by mailbox providers?
A. The DMARC record’s DKIM alignment tag is incorrectly configured.
B. The DMARC record’s policy tag is incorrectly configured.
C. The DMARC record does not have an SPF alignment tag.
D. The DMARC record’s version tag is set to DMARC1 instead of the current version, which is DMARC3.
Q14.Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review?
A. tail -10000 Massivelog.log > extract.txt
B. info tail n -10000 Massivelog.log | extract.txt;
C. get content ‘./Massivelog.log’ -Last 10000 | extract.txt
D. get-content ‘./Massivelog.log’ -Last 10000 > extract.txt;
Q15.A security analyst is reviewing the following Internet usage trend report:
Which of the following usernames should the security analyst investigate further?
A. User 1
B. User 2
C. User 3
D. User 4
Q16.The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication during incident response?
A. To prevent adversaries from intercepting response and recovery details
B. To ensure intellectual property remains on company servers
C. To have a backup plan in case email access is disabled
D. To ensure the management team has access to all the details that are being exchanged
Q17.Which of the following allows Secure Boot to be enabled?
A. eFuse
B. UEFI
C. HSM
D. PAM
Q18.A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous risks that were identified. Which of the following will provide a trend of risk mitigation?
A. Planning
B. Continuous monitoring
C. Risk response
D. Risk analysis
E. Oversight
Q19.A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?
A. Blacklist the hash in the next-generation antivirus system.
B. Manually delete the file from each of the workstations.
C. Remove administrative rights from all developer workstations.
D. Block the download of the file via the web proxy.
Q20.Which of the following is MOST important when developing a threat hunting program?
A. Understanding penetration testing techniques
B. Understanding how to build correlation rules within a SIEM
C. Understanding security software technologies
D. Understanding assets and categories of assets
Q21.The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit requests for new users at the last minute, causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company’s assets?
A. MFA
B. CASB
C. SSO
D. RBAC
Q22.A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?
A. CASB
B. VPC
C. Federation
D. VPN
Q23.A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to go offline. Which of the following solutions would work BEST prevent to this from happening again?
A. Change management
B. Application whitelisting
C. Asset management
D. Privilege management
Q24.A company’s Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company’s business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?
A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.
B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.
C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.
D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.
Q25.An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee’s laptop was sent to the IT service desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of the following can the security analyst use to justify the request?
A. GDPR
B. Data correlation procedure
C. Evidence retention
D. Data retention
Q26.During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the NEXT step the analyst should take?
A. Validate the binaries’ hashes from a trusted source.
B. Use file integrity monitoring to validate the digital signature.
C. Run an antivirus against the binaries to check for malware.
D. Only allow whitelisted binaries to execute.
Q27.A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system?
A. strace /proc/1301
B. rpm -V openssh-server
C. /bin/ls -1 /proc/1301/exe
D. kill -9 1301
Q28.SIMULATION –
Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this situation.
INSTRUCTIONS –
Review the information provided and determine the following:
1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name of the malware?
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hint answer:
Q29.A company’s application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?
A. Input validation
B. Security regression testing
C. Application fuzzing
D. User acceptance testing
E. Stress testing
Q30.Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?
A. Set up an FTP server that both companies can access and export the required financial data to a folder.
B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection.
C. Set up a PKI between Company A and Company B and intermediate shared certificates between the two entities.
D. Create static NATs on each entity’s firewalls that map to the ERR systems and use native ERP authentication to allow access.
Q31.An analyst is reviewing the following output as part of an incident:
Which of the following is MOST likely happening?
A. The hosts are part of a reflective denial-of-service attack
B. Information is leaking from the memory of host 10.20.30.40
C. Sensitive data is being exfiltrated by host 192.168.1.10
D. Host 192.168.1.10 is performing firewall port knocking
Q32.During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the following would be the
BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization’s human resources management team.
B. Note the security incident so other analysts are aware the traffic is malicious.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident to a manager for inclusion in the daily report.
Q33.During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization’s human resources management team.
B. Note the security incident to junior analysts so they are aware of the traffic.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident for inclusion in the daily report.
Q34.Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
Q35.An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +”%m_%d_%Y”)
This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?
A. diff daily_11_03_2019 daily_11_04_2019
B. ps ג€”ef | grep admin > daily_process_$(date +%m_%d_%Y”)
C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S”)
D. la ג€”lai /usr/sbin > daily_applications
Q36.During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?
A. strings
B. head
C. fsstat
D. dd
Q37.Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?
A. Logging and monitoring are not needed in a public cloud environment.
B. Logging and monitoring are done by the data owners.
C. Logging and monitoring duties are specified in the SLA and contract.
D. Logging and monitoring are done by the service provider.
Q38.A product security analyst has been assigned to evaluate and validate a new product’s security capabilities. Part of the evaluation involves reviewing design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at the next checkpoint. Which of the following BEST describes the activity being conducted?
A. User acceptance testing
B. Stress testing
C. Code review
D. Security regression testing
Q39.Which of the following BEST explains the function of a managerial control?
A. To scope the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To implement data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
Q40.A user’s computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output:
Which of the following lines indicates the computer may be compromised?
A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
Q41.Which of the following is MOST closely related to the concept of privacy?
A. The implementation of confidentiality, integrity, and availability
B. A system’s ability to protect the confidentiality of sensitive information
C. An individual’s control over personal information
D. A policy implementing strong identity management processes
Q42.A company’s blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?
A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.
B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
Q43.A security analyst found the following entry in a server log:
The analyst executed netstat and received the following output:
Which of the following lines in the output confirms this was successfully executed by the server?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7
Q44.A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following requirements:
* The partners’ PCs must not connect directly to the laboratory network
* The tools the partners need to access while on the laboratory network must be available to all partners
* The partners must be able to run analyses on the laboratory network, which may take hours to complete
Which of the following capabilities will MOST likely meet the security objectives of the request?
A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
D. Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
Q45.After an incident involving a phishing email, a security analyst reviews the following email access log:
Based on this information, which of the following accounts was MOST likely compromised?
A. CARLB
B. CINDYP
C. GILLIANO
D. ANDREAD
E. LAURAB
Q46.A company frequently experiences issues with credential stuffing attacks. Which of the following is the BEST control to help prevent these attacks from being successful?
A. SIEM
B. IDS
C. MFA
D. TLS
Q47.During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent similar activity from happening in the future?
A. An IPS signature modification for the specific IP addresses
B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. Implement a web proxy to restrict malicious web content
Q48.A security analyst is researching ways to improve the security of a company’s email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?
A. A TXT record on the name server for SPF
B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail
Q49.A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?
A. System timeline reconstruction
B. System registry extraction
C. Data carving
D. Volatile memory analysis
Q50.A business recently acquired a software company. The software company’s security posture is unknown. However, based on an initial assessment, there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain information about the software company’s security posture?
A. Develop an asset inventory to determine the systems within the software company.
B. Review relevant network drawings, diagrams, and documentation.
C. Perform penetration tests against the software company’s internal and external networks.
D. Baseline the software company’s network to determine the ports and protocols in use.
Q51.A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further investigation?
A. Data carving
B. Timeline construction
C. File cloning
D. Reverse engineering
Q52.A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements?
A. Legal counsel
B. Chief Security Officer
C. Human resources
D. Law enforcement
Q53.After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:
Which of the following is the BEST solution to mitigate this type of attack?
A. Implement a better level of user input filters and content sanitization.
B. Properly configure XML handlers so they do not process &ent parameters coming from user inputs.
C. Use parameterized queries to avoid user inputs from being processed by the server.
D. Escape user inputs using character encoding conjoined with whitelisting.
Q54.A security analyst is reviewing a vulnerability scan report and notes the following finding:
As part of the detection and analysis procedures, which of the following should the analyst do NEXT?
A. Patch or reimage the device to complete the recovery.
B. Restart the antiviruses running processes.
C. Isolate the host from the network to prevent exposure.
D. Confirm the workstation’s signatures against the most current signatures.
Q55.Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user’s web application?
A. Deploying HIPS to block malicious ActiveX code
B. Installing network-based IPS to block malicious ActiveX code
C. Adjusting the web-browser settings to block ActiveX controls
D. Configuring a firewall to block traffic on ports that use ActiveX controls
Q56.While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?
A. Block the sender in the email gateway.
B. Delete the email from the company’s email servers.
C. Ask the sender to stop sending messages.
D. Review the message in a secure environment.
Q57.In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
A. Fully segregate the affected servers physically in a network segment, apart from the production network.
B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours.
C. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
D. Collect all the files that have changed and compare them with the previous baseline.
Q58.The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform?
A. Tabletop exercise
B. Red-team attack
C. System assessment implementation
D. Blue-team training
E. White-team engagement
Q59.A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfiltrated?
A. Monday’s logs
B. Tuesday’s logs
C. Wednesday’s logs
D. Thursday’s logs
Q60.In response to an audit finding, a company’s Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company’s vulnerability management program has the following attributes:
✑ It is unauthenticated.
✑ It is at the minimum interval specified by the audit framework.
✑ It only scans well-known ports.
Which of the following would BEST increase the security posture of the vulnerability management program?
A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans.
C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Continue unauthenticated scanning.
D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
