Practice Exam Version:
Part 1: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-1/
Part 2: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-2/
Part 3: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-3/
Part 4: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-4/
Part 5: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-5/
Part 6: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-6/
Actual Exam Version: https://awslagi.com/course-category/comptia/
Q121.After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred.
Which of the following IP addresses does the analyst need to investigate further?
A. 192.168 1.1
B. 192.168.1.10
C. 192.168.1.12
D. 192.168 1.193
Q122.A development team signed a contract that requires access to an on-premises physical server Access must be restricted to authorized users only and cannot be connected to the internet Which of the following solutions would meet this requirement?
A. Establish a hosted SSO
B. Implement a CASB
C. Virtualize the server
D. Air gap the server
Q123.Which of the following provides an automated approach to checking a system configuration?
A. SCAP
B. CI/CD
C. OVAL
D. Scripting
E. SOAR
Q124.Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the BEST solution to improve the equipment’s security posture?
A. Move the legacy systems behind a WAF
B. Implement an air gap for the legacy systems
C. Place the legacy systems in the perimeter network
D. Implement a VPN between the legacy systems and the local network
Q125.An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply. Which of the following would BEST identify potential indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device’s IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
Q126.A remote code execution vulnerability was discovered in the RDP. An organization currently uses RDP for remote access to a portion of its VDI environment. The analyst verified network-level authentication is enabled. Which of the following is the BEST remediation for this vulnerability?
A. Verify the threat intelligence feed is updated with the latest solutions.
B. Verify the system logs do not contain indicators of compromise.
C. Verify the latest endpoint-protection signature is in place.
D. Verify the corresponding patch for the vulnerability is installed.
Q127.An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?
A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor
Q128.Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:
A. vulnerability scanning.
B. threat hunting.
C. red teaming.
D. penetration testing.
Q129.A security analyst needs to determine the best method for securing access to a top-secret datacenter. Along with an access card and PIN code, which of the following additional authentication methods would be BEST to enhance the datacenter’s security?
A. Physical key
B. Retinal scan
C. Passphrase
D. Fingerprint
Q130.Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
Q131.A company’s change management team has asked a security analyst to review a potential change to the email server before itis released into production. The analyst reviews the following change request:
Change request date: 2020-01-30 –
Change requester. Cindy Richardson
Change asset: WIN2K-EMAILOOI –
Change requested: Modify the following SPF record to change +all to –all
Which of the following is the MOST likely reason for the change?
A. To reject email from servers that are not listed in the SPF record
B. To reject email from email addresses that are not digitally signed
C. To accept email to the company’s domain
D. To reject email from users who are not authenticated to the network
Q132.A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:
Which of the following generated the above output?
A. A port scan
B. A TLS connection
C. A vulnerability scan
D. A ping sweep
Q133.A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are delivered to the company’s customers?
A. Anti-tamper mechanism
B. SELinux
C. Trusted firmware updates
D. eFuse
Q134.A security analyst needs to assess the web-server versions on a list of hosts to determine which are running a vulnerable version of the software and then output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal?
A. nmap –iL webserverlist.txt –sC –p 443 –oX webserverlist.xml
B. nmap –iL webserverlist.txt –sV –p 443 –oX webserverlist.xml
C. nmap –iL webserverlist.txt –F –p 443 –oX weberserverlist.xml
D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml –scanports 443
Q135.A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called “packetCapture ”. The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will BEST accomplish the analyst’s objectives?
A. tcpdump -w packetCapture
B. tcpdump -a packetCapture
C. tcpdump -n packetCapture
D. nmap -v > packetCapture
E. nmap -oA > packetCapture
Q136.The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability.
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Q137.An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A security analyst receives the following screenshot of an email error from the help desk:
The analyst then checks the email server and sees many of the following messages in the logs:
Error 550 Message-Rejected
Which of the following is MOST likely the issue?
A. SPF is failing.
B. The DMARC queue is full.
C. The DKIM private key has expired.
D. Port 25 is not open.
Q138.A security engineer must deploy X 509 certificates to two web servers behind a load balancer. Each web server is configured identically. Which of the following should be done to ensure certificate name mismatch errors do not occur?
A. Create two certificates, each with the same fully qualified domain name, and associate each with the web servers’ real IP addresses on the load balancer.
B. Create one certificate on the load balancer and associate the site with the web servers’ real IP addresses.
C. Create two certificates, each with the same fully qualified domain name, and associate each with a corresponding web server behind the load balancer.
D. Create one certificate and export it to each web server behind the load balancer.
Q139.A company’s legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. They have asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to achieve this goal?
A. Focus on incidents that have a high chance of reputation harm.
B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support
Q140.A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies are easy to:
A. parameterize
B. decode
C. guess
D. decrypt
Q141.Which of the following BEST explains hardware root of trust?
A. It uses the processor security extensions to protect the OS from malicious software installation.
B. It prevents side-channel attacks that can take advantage of speculative execution vulnerabilities.
C. It ensures the authenticity of firmware and software during the boot process until the OS is loaded.
D. It has been implemented as a mitigation to the Spectre and Meltdown hardware vulnerabilities.
Q142.A penetration tester physically enters a datacenter and attaches a small device to a switch. As part of the tester’s effort to evaluate which nodes are present on the network; the tester places the network agape in promiscuous mode and logs traffic for later analysis. Which of the following is the tester performing?
A. Credential scanning
B. Passive scanning
C. Protocol analysis
D. SCAP scanning
E. Network segmentation
Q143.A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Which of the following threats applies to this situation?
A. Potential data loss to external users
B. Loss of public/private key management
C. Cloud-based authentication attack
D. Insufficient access logging
Q144.A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do NEXT?
A. Document the procedures and walkthrough the incident training guide
B. Reverse engineer the malware to determine its purpose and risk to the organization
C. Sanitize the workstation and verify countermeasures are restored
D. Isolate the workstation and issue a new computer to the user
Q145.A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse:
• The clocks must be configured so they do not respond to ARP broadcasts.
• The server must be configured with static ARP entries for each clock.
Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing
Q146.A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation and brute forcing. Which of the flowing frameworks or models did the security team MOST likely use to identify the tactics and techniques?
A. MITRE ATT&CK
B. ITIL
C. Kill chain
D. Diamond Model of intrusion Analysis
Q147.A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?
A. Enabling sandboxing technology
B. Purchasing cyber insurance
C. Enabling application blacklisting
D. Installing a firewall between the workstations and internet
Q148.Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?
A. Input validation
B. SQL injection
C. Parameterized queries
D. Web-application firewall
E. Multifactor authentication
Q149.An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances,
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region.
D. Configure the systems with a cold site at another cloud provider that can be used for failover.
Q150.A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch. Which of the following BEST describes the reason for the analyst’s immediate action?
A. Nation-state hackers are targeting the region.
B. A new vulnerability was discovered by a vendor.
C. A known exploit was discovered.
D. A new zero-day threat needs to be addressed.
E. There is an insider threat.
Q151.A company recently experienced similar network attacks. To determine whether the attacks were identical, the company should gather a list of IPs domains, and files and use:
A. behavior data
B. the Diamond Model of Intrusion Analysis.
C. the attack kill chain.
D. the reputational data.
Q152.A company’s security administrator needs to automate several security processes related to testing for the existence of changes within the environment. Conditionally, other processes will need to be created based on input from prior processes. Which of the following is the BEST method for accomplishing this task?
A. Machine learning and process monitoring
B. Continuous integration and configuration management
C. API integration and data enrichment
D. Workflow orchestration and scripting
Q153.A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following
Which of the following should the security analyst conclude?
A. user@company.com is a malicious insider.
B. The valid dates are too far apart and are generating the alerts
C. certServer has been compromised
D. The root certificate was not installed in the trusted store
Q154.An organization supports a large number of remote users. Which of the following is the BEST option to protect the data on the remote users’ laptops?
A. Require the use of VPNs.
B. Require employees to sign an NDA
C. Implement a DLP solution.
D. Use whole disk encryption.
Q155.Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?
A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis membership
D. Common vulnerability and exposure bulletins
Q156.An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the DNS entry and sees the following:
The organization’s primary mail server IP is 180.10.6.6 and the secondary mail server IP is 180.10.6.5. The organization’s third-party mail provider is “Robust Mail” with the domain name robustmail.com. Which of the following is the MOST likely reason for the rejected emails?
A. SPF version 1 does not support third-party providers.
B. The primary and secondary email server IP addresses are out of sequence.
C. An incorrect IP version is being used.
D. The wrong domain name is in the SPF record.
Q157.To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?
A. SCAP
B. SAST
C. DAST
D. DACS
Q158.An organization has the following risk mitigation policy:
• Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
• All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, D, C
B. A, B, C, D
C. D, A, B, C
D. D, A, C, B
Q159.A security analyst has discovered that developers have installed browsers on all development servers in the company’s cloud infrastructure and are using them to browse the Internet. Which of the following changes should the security analyst make to BEST protect the environment?
A. Create a security rule that blocks Internet access in the development VPC
B. Place a jumpbox in between the developers’ workstations and the development VPC
C. Remove the administrator’s profile from the developer user group in identity and access management
D. Create an alert that is triggered when a developer installs an application on a server
Q160.When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?
A. nmap –sA –O -noping
B. nmap –sT –O -Pn
C. nmap –sS –O -Pn
D. nmap –sQ –O -Pn
Q161.A security analyst receives an alert to expect increased and highly advanced cyberattacks originating from a foreign country that recently had sanctions implemented. Which of the following describes the type of threat actors that should concern the security analyst?
A. Insider threat
B. Nation-threat
C. Hacktivist
D. Organized crime
Q162.A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?
A. Geotagging
B. IP restrictions
C. Reverse proxy
D. Single sign-on
Q163.Which of the following are considered PII by themselves? (Choose two.)
A. Government ID
B. Job title
C. Employment start date
D. Birth certificate
E. Employer address
F. Mother’s maiden name
Q164.A security analyst notices the following entry while reviewing the server logs:
OR 1=1′ ADD USER attacker’ PW 1337password’ —
Which of the following events occurred?
A. CSRF
B. XSS
C. SQLi
D. RCE
Q165.Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?
A. Reverse engineering
B. Application log collectors
C. Workflow orchestration
D. API integration
E. Scripting
Q166.An analyst performs a routine scan of a host using Nmap and receives the following output:
Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
Q167.A security analyst has received a report that servers are no longer able to connect to the network. After many hours of troubleshooting, the analyst determines a
Group Policy Object is responsible for the network connectivity issues. Which of the following solutions should the security analyst recommend to prevent an interruption of service in the future?
A. CI/CD pipeline
B. Impact analysis and reporting
C. Appropriate network segmentation
D. Change management process
Q168.A security analyst observes a large amount of scanning activity coming from an IP address outside the organization’s environment. Which of the following should the analyst do to block this activity?
A. Create an IPS rule to block the subnet.
B. Sinkhole the IP address.
C. Create a firewall rule to block the IP address.
D. Close all unnecessary open ports.
Q169.A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
✑ The FTP service is running with the data directory configured in /opt/ftp/data.
✑ The FTP server hosts employees’ home directories in /home.
✑ Employees may store sensitive information in their home directories.
An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?
A. Implement file-level encryption of sensitive files.
B. Reconfigure the FTP server to support FTPS.
C. Run the FTP server in a chroot environment.
D. Upgrade the FTP server to the latest version.
Q170.Which of the following is an advantage of SOAR over SIEM?
A. SOAR is much less expensive.
B. SOAR reduces the amount of human intervention required.
C. SOAR can aggregate data from many sources.
D. SOAR uses more robust encryption protocols.
Q171.A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization’s data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use once the device returns home.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Q172.At which of the following phases of the SDLC should security FIRST be involved?
A. Design
B. Maintenance
C. Implementation
D. Analysis
E. Planning
F. Testing
Q173.A company’s security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported, and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the
BEST method to protect these workstations from threats?
A. Deploy whitelisting to the identified workstations to limit the attack surface.
B. Determine the system process criticality and document it.
C. Isolate the workstations and air gap them when it is feasible.
D. Increase security monitoring on the workstations.
Q174.A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend?
A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture.
Q175.A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident.
The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfiltrated?
A. Monday’s logs
B. Tuesday’s logs
C. Wednesday’s logs
D. Thursday’s logs
Q176.A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs. Which of the following is the main concern a security analyst should have with this arrangement?
A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
Q177.A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?
A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty
Q178.During a review of the vulnerability scan results on a server, an information security analyst notices the following:
The MOST appropriate action for the analyst to recommend to developers is to change the web server so:
A. it only accepts TLSv1 .2.
B. it only accepts cipher suites using AES and SHA.
C. it no longer accepts the vulnerable cipher suites.
D. SSL/TLS is offloaded to a WAF and load balancer.
Q179.A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?
A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal.
D. Establish guidelines for the handling of sensitive information.
Q180.A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:
Packet capture:
TCP stream:
Which of the following actions should the security analyst take NEXT?
A. Review the known Apache vulnerabilities to determine if a compromise actually occurred.
B. Contact the application owner for connect.example.local for additional information.
C. Mark the alert as a false positive scan coming from an approved source.
D. Raise a request to the firewall team to block 203.0.113.15.
