CS0-002 : CompTIA CySA+ Certification Exam (CS0-002) : Part 02

  1. A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

    Which of the following should be done to correct the cause of the vulnerability?

    • Deploy a WAF in front of the application.
    • Implement a software repository management tool.
    • Install a HIPS on the server.
    • Instruct the developers to use input validation in the code
  2. A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:

    CS0-002 Part 02 Q02 007
    CS0-002 Part 02 Q02 007

    Which of the following commands would work BEST to achieve the desired result?

    • grep -v chatter14 chat.log
    • grep -i pythonfun chat.log
    • grep -i javashark chat.log
    • grep -v javashark chat.log
    • grep -v pythonfun chat.log
    • grep -i chatter14 chat.log
  3. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

    Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

    • Gather information from providers, including datacenter specifications and copies of audit reports.
    • Identify SLA requirements for monitoring and logging.
    • Consult with senior management for recommendations.
    • Perform a proof of concept to identify possible solutions.
  4. A security technician is testing a solution that will prevent outside entities from spoofing the company’s email domain, which is comptia.org. The testing is successful, and the security technician is prepared to fully implement the solution.

    Which of the following actions should the technician take to accomplish this task?

    • Add TXT @ “v=spf1 mx include:_spf.comptia.org −all” to the DNS record.
    • Add TXT @ “v=spf1 mx include:_spf.comptia.org −all” to the email server.
    • Add TXT @ “v=spf1 mx include:_spf.comptia.org +all” to the domain controller.
    • Add TXT @ “v=spf1 mx include:_spf.comptia.org +all” to the web server.
  5. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

    Which of the following BEST describes the security analyst’s goal?

    • To create a system baseline
    • To reduce the attack surface
    • To optimize system performance
    • To improve malware detection
  6. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

    • Data custodian
    • Data owner
    • Data processor
    • Senior management
  7. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/a.php in a phishing email.

    To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the __________.

    • email server that automatically deletes attached executables.
    • IDS to match the malware sample.
    • proxy to block all connections to <malwaresource>.
    • firewall to block connection attempts to dynamic DNS hosts.
  8. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

    Which of the following should be considered FIRST prior to disposing of the electronic data?

    • Sanitization policy
    • Data sovereignty
    • Encryption policy
    • Retention standards
  9. A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor’s instructions and generated a report of vulnerabilities that ran against the same target server.

    Tool A reported the following:

    CS0-002 Part 02 Q09 008
    CS0-002 Part 02 Q09 008

    Tool B reported the following:

    CS0-002 Part 02 Q09 009
    CS0-002 Part 02 Q09 009

    Which of the following BEST describes the method used by each tool? (Choose two.)

    • Tool A is agent based.
    • Tool A used fuzzing logic to test vulnerabilities.
    • Tool A is unauthenticated.
    • Tool B utilized machine learning technology.
    • Tool B is agent based.
    • Tool B is unauthenticated.
  10. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

    Which of the following is the MOST likely cause of this issue?

    • A password-spraying attack was performed against the organization.
    • A DDoS attack was performed against the organization.
    • This was normal shift work activity; the SIEM’s AI is learning.
    • A credentialed external vulnerability scan was performed.
  11. During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect.

    Which of the following is the BEST place to acquire evidence to perform data carving?

    • The system memory
    • The hard drive
    • Network packets
    • The Windows Registry
  12. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

    Which of the following would BEST accomplish this goal?

    • Continuous integration and deployment
    • Automation and orchestration
    • Static and dynamic analysis
    • Information sharing and analysis
  13. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN’s fault notification features.

    Which of the following should be done to prevent this issue from reoccurring?

    • Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.
    • Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.
    • Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.
    • Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.
  14. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.

    Which of the following risk actions has the security committee taken?

    • Risk exception
    • Risk avoidance
    • Risk tolerance
    • Risk acceptance
  15. During a cyber incident, which of the following is the BEST course of action?

    • Switch to using a pre-approved, secure, third-party communication system.
    • Keep the entire company informed to ensure transparency and integrity during the incident.
    • Restrict customer communication until the severity of the breach is confirmed.
    • Limit communications to pre-authorized parties to ensure response efforts remain confidential.
  16. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

    • Agile
    • Waterfall
    • SDLC
    • Dynamic code analysis
  17. Which of the following types of policies is used to regulate data storage on the network?

    • Password
    • Acceptable use
    • Account management
    • Retention
  18. A security team wants to make SaaS solutions accessible from only the corporate campus.

    Which of the following would BEST accomplish this goal?

    • Geofencing
    • IP restrictions
    • Reverse proxy
    • Single sign-on
  19. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

    Which of the following controls would have MOST likely prevented this incident?

    • SSO
    • DLP
    • WAF
    • VDI
  20. A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

    Which of the following is the NEXT step the analyst should take to address the issue?

    • Audit access permissions for all employees to ensure least privilege.
    • Force a password reset for the impacted employees and revoke any tokens.
    • Configure SSO to prevent passwords from going outside the local network.
    • Set up privileged access management to ensure auditing is enabled.