Last Updated on July 4, 2021 by InfraExam

CS0-002 : CompTIA CySA+ Certification Exam (CS0-002) : Part 06

  1. A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

    • Establish an alternate site with active replication to other regions
    • Configure a duplicate environment in the same region and load balance between both instances
    • Set up every cloud component with duplicated copies and auto-scaling turned on
    • Create a duplicate copy on premises that can be used for failover in a disaster situation
  2. A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

    • enables remote code execution that is being exploited in the wild
    • enables data leakage but is not known to be in the environment
    • enables lateral movement and was reported as a proof of concept
    • affected the organization in the past but was probably contained and eradicated
  3. A company’s incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

    • Quarantine the web server
    • Deploy virtual firewalls
    • Capture a forensic image of the memory and disk
    • Enable web server containerization
  4. During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

    • BadReputationIp - - [2019-04-12 10:43Z] “GET /etc/passwd” 403 1023
    • BadReputationIp - - [2019-04-12 10:43Z] “GET /index.html?src=../.ssh/id_rsa” 401 17044
    • BadReputationIp - - [2019-04-12 10:43Z] “GET /a.php?src=/etc/passwd” 403 11056
    • BadReputationIp - - [2019-04-12 10:43Z] “GET /a.php?src=../../.ssh/id_rsa” 200 15036
    • BadReputationIp - - [2019-04-12 10:43Z] “GET /favicon.ico?src=../usr/share/icons” 200 19064
  5. A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?

    • Data encoding
    • Data masking
    • Data loss prevention
    • Data classification
  6. Which of the following attacks can be prevented by using output encoding?

    • Server-side request forgery
    • Cross-site scripting
    • SQL injection
    • Command injection
    • Cross-site request forgery
    • Directory traversal
  7. The help desk provided a security analyst with a screenshot of a user’s desktop:

    CS0-002 Part 06 Q07 020
    CS0-002 Part 06 Q07 020

    For which of the following is aircrack-ng being used?

    • Wireless access point discovery
    • Rainbow attack
    • Brute-force attack
    • PCAP data collection
  8. A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)

    • Probability
    • Adversary capability
    • Attack vector
    • Impact
    • Classification
    • Indicators of compromise
  9. A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organization. The security analyst’s BEST response would be to coordinate with the legal department and:

    • the public relations department
    • senior leadership
    • law enforcement
    • the human resources department
  10. While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:
    All sensitive data must be classified.
    All sensitive data must be purged on a quarterly basis.
    Certificates of disposal must remain on file for at least three years.

    This framework control is MOST likely classified as:

    • prescriptive
    • risk-based
    • preventive
    • corrective
  11. An analyst performs a routine scan of a host using Nmap and receives the following output:

    CS0-002 Part 06 Q11 021
    CS0-002 Part 06 Q11 021

    Which of the following should the analyst investigate FIRST?

    • Port 21
    • Port 22
    • Port 23
    • Port 80
  12. A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm’s largest client. Which of the following is MOST likely inhibiting the remediation efforts?

    • The parties have an MOU between them that could prevent shutting down the systems
    • There is a potential disruption of the vendor-client relationship
    • Patches for the vulnerabilities have not been fully tested by the software vendor
    • There is an SLA with the client that allows very little downtime
  13. A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate?

    • Cloning procedures
    • Chain of custody
    • Hashing procedures
    • Virtualization
  14. A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?

    • Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested.
    • Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried
    • Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443
    • Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
  15. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT?

    • Begin blocking all IP addresses within that subnet
    • Determine the attack vector and total attack surface
    • Begin a kill chain analysis to determine the impact
    • Conduct threat research on the IP addresses
  16. Which of the following is the MOST important objective of a post-incident review?

    • Capture lessons learned and improve incident response processes
    • Develop a process for containment and continue improvement efforts
    • Identify new technologies and strategies to remediate
    • Identify a new management strategy
  17. An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach. Given the following output:

    CS0-002 Part 06 Q17 022
    CS0-002 Part 06 Q17 022

    Which of the following should be the focus of the investigation?

  18. A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?

    • It enables the team to prioritize the focus areas and tactics within the company’s environment
    • It provides criticality analyses for key enterprise servers and services
    • It allows analysts to receive routine updates on newly discovered software vulnerabilities
    • It supports rapid response and recovery during and following an incident
  19. A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:

    CS0-002 Part 06 Q19 023
    CS0-002 Part 06 Q19 023

    Which of the following commands should the administrator run NEXT to further analyze the compromised system?

    • strace /proc/1301
    •  rpm –V openssh-server
    • /bin/ls –l /proc/1301/exe
    • kill -9 1301
  20. A security analyst is reviewing the following log entries to identify anomalous activity:

    CS0-002 Part 06 Q20 024
    CS0-002 Part 06 Q20 024

    Which of the following attack types is occurring?

    • Directory traversal
    • SQL injection
    • Buffer overflow
    • Cross-site scripting