CompTIA CySA+ CS0-002 Practice Questions

A cybersecurity analyst receives a phone call from an unknown person with the number blocked on the caller ID. After starting conversation, the caller begins to request sensitive information. Which of the following techniques is being applied?A. Social engineeringB. PhishingC. ImpersonationD. War dialing

A

Which of the following is the main benefit of sharing incident details with partner organizations or external trusted parties during the incident response process?A. It facilitates releasing incident results, findings and resolution to the media and all appropriate government agenciesB. It shortens the incident life cycle by allowing others to document incident details and prepare reports.C. It enhances the response process, as others may be able to recognize the observed behavior and provide valuable insight.D. It allows the security analyst to defer incident-handling activities until all parties agree on how to proceed with analysis.

C

The security analyst determined that an email containing a malicious attachment was sent to several employees within the company, and it was not stopped by any of the email filtering devices. An incident was declared. During the investigation, it was determined that most users deleted the email, but one specific user executed the attachment. Based on the details gathered, which of the following actions should the security analyst perform NEXT?A. Obtain a copy of the email with the malicious attachment. Execute the file on another user's machine and observe the behavior. Document all findings.B. Acquire a full backup of the affected machine. Reimage the machine and then restore from the full backup.C. Take the affected machine off the network. Review local event logs looking for activity and processes related to unknown or unauthorized software.D. Take possession of the machine. Apply the latest OS updates and firmware. Discuss the problem with the user and return the machine.

C

Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation?A. stringsB. sha1sumC. fileD. ddE. gzip

B

Given the following logs:Aug 18 11:00:57 comptia sshd[5657]: Failed password for root from 10.10.10.192 port 38980 ssh2Aug 18 23:08:26 comptia sshd[5768]: Failed password for root from 18.70.0.160 port 38156 ssh2Aug 18 23:08:30 comptia sshd[5770]: Failed password for admin from 18.70.0.160 port 38556 ssh2Aug 18 23:08:34 comptia sshd[5772]: Failed password for invalid user asterisk from 18.70.0.160 port 38864 ssh2Aug 18 23:08:38 comptia sshd[5774]: Failed password for invalid user sjobeck from 10.10.1.16 port 39157 ssh2Aug 18 23:08:42 comptia sshd[5776]: Failed password for root from 18.70.0.160 port 39467 ssh2
Which of the following can be suspected?A. An unauthorized user is trying to gain access from 10.10.10.192.B. An authorized user is trying to gain access from 10.10.10.192.C. An authorized user is trying to gain access from 18.70.0.160.D. An unauthorized user is trying to gain access from 18.70.0.160.

D

A security analyst has been asked to review permissions on accounts within Active Directory to determine if they are appropriate to the user's role. During this process, the analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate?A. Cross-site scriptingB. Session hijackC. Privilege escalationD. Rootkit

C

In the last six months, a company is seeing an increase in credential-harvesting attacks. The latest victim was the chief executive officer (CEO). Which of the following countermeasures will render the attack ineffective?A. Use a complex password according to the company policy.B. Implement an intrusion-prevention system.C. Isolate the CEO's computer in a higher security zone.D. Implement multifactor authentication.

D

After a security breach, it was discovered that the attacker had gained access to the network by using a brute-force attack against a service account with a password that was set to not expire, even though the account had a long, complex password. Which of the following could be used to prevent similar attacks from being successful in the future?A. Complex password policiesB. Account lockoutC. Self-service password reset portalD. Scheduled vulnerability scans

B

A security analyst wants to capture data flowing in and out of a network. Which of the following would MOST likely assist in achieving this goal?A. Taking a screenshot.B. Analyzing network traffic and logs.C. Analyzing big data metadata.D. Capturing system image.

B

There are reports that hackers are using home thermostats to ping a national service provider without the provider's knowledge. Which of the following attacks is occurring from these devices?A. IoTB. DDoSC. MITMD. MIMO

B

Which of the following is the purpose of a SIEM solution?A. To provide real-time security analysis and alerts generated within the security system.B. To provide occasional updates on global security breachesC. To act as an attack vectorD. To act as an intrusion prevention system

A

An actor with little to no knowledge of the tools they use to carry out an attack is known as which of the following?A. White hatB. Black hatC. Attack vectorD. Script kiddie

D

Which one of the following does NOT accurately portray the attributes of an Advanced Persistent Threat (APT) attack?A. They often exploit unknown vulnerabilitiesB. They typically use freely available attacking tools to cut down on costs.C. They target large or government organizationD. They use sophisticated means to gain access to highly valued resources

B

Which of the following are the Security intelligence data elements that assure quality of the data? (Choose three)A. AccuracyB. ProprietaryC. RelevanceD. Timeliness

ACD

The process of combing through collected data to gather relevant and accurate intelligence data is referred to as \_____ according to the intelligence cycle.A. CollectionB. DisseminationC. FeedbackD. Analysis

D

Which of the following ports would you close if your sever does not host any DNS services?A. 22B. 53C. 443D. 80

B

The Security team advises that there's a server running a legacy software supported by some of the applications within the organization. Upon review, management realizes the potential loss from the risk isn't great enough to warrant spending money to avoid it. This form of response is known as which of the following?A. Compensation ControlB. Risk acceptanceC. Risk avoidanceD. Remediation

B

A critical vulnerability is between which range on CVSS?A. 4.0-7.0B. 3.9-5.0C. 0.0-10.0D. 9.0-10.0

D

An attacker collects information about a target from sources such as LinkedIn, Twitter, and the target's website. This form of reconnaissance is known as which of the following?A. Active reconnaissanceB. Passive reconnaissanceC. Native reconnaissanceD. None of the above options

B

When defining a scope to scan, which of the following should you use? (Choose two)A. An IP rangeB. A gatewayC. A single IPD. A subnet mask only

AC

Which of the following is NOT a factor that can inhibit remediation?A. Legacy SystemsB. SLAC. MOUD. Employment Contract

D

Which of the following will define a scope to scan? Choose two.A. 192.168.10.1B. 192.168.88.1/24C. 127.0.0.1D. 169.254.10.1

AB

Your company is requesting you to assess the extent to which a client's data was compromised in an incident. What analysis are you required to perform?A. MOUB. IIAC. SLAD. PII

B

Which of the following would be used to de-authenticate devices connected to a wireless access point?A. -0B. -cC. 5D. -a

A

To prevent memory compromise and subsequent overflow attacks in operating systems, which OS feature must be available?A. UEFIB. Boot SecurityC. HIPSD. ASLR

D

Which firewall option would allow an administrator to permit an application into an organization's network?A. WhitelistingB. FilteringC. Port SecurityD. Blacklisting

A

The command "Mac Address Sticky" uses physical addresses to restrict and provide network access to the device. True or false?

T

Which of the following is a threat associated with operating in the cloud?A. Unsecure-Wi-FiB. Malicious insiderC. BluejackingD. Evil Twin

B

Which of the following practices are likely to put corporate systems at risk?A. CIAB. PatchingC. MDMD. BYOD

D

A unique feature of a hybrid cloud is the combination of a private and public cloud. True or false?

T

Which mobile security standard allows an organization to manage mobile devices?A. MDMB. BYODC. SSHD. CAN bus

A

Which of the following are fundamentals of MFA? (Choose three)A. Something you have, such a one time pinB. Something you know, such as a passwordC. Something you do, such as a sportD. Something you are, such as biometrics

ABD

In which of the following can the attacker use ARP Poisoning to compromise systems?A. LANB. BluetoothC. WAND. None of the above

A

Locking is an effective mitigative measure again race condition attacks. True or false?

T

You are informed that the recently hired junior accountant within your organization has had her device compromised after clicking on a link within an email that was seemingly sent from the head of accounting department. What type of attack would the junior accountant been a victim of?A. Phishing attackB. SQL InjectionC. DDOS attackD. MITM attack

A

Which security concerns are more easily implemented in the cloud? (Choose three)A. Data localityB. Physical securityC. CustomizationD. Regulatory complianceE. API access

BDE

A Cloud Access Security Broker is a piece of software that does which of the following?A. Introduces new vulnerabilitiesB. Prices cloud servicesC. Sits between your Cloud and on-premises deploymentsD. Reduces security complexity

C

Hardware IDs (such as serial numbers) are often tagged onto assets by which method?A. A handwritten logB. They're notC. A physical tag or stickerD. An external database

C

Good change management includes which of the following features? (Choose three)A. Change identificationB. Regulatory reportingC. Life-cycle trackingD. ReviewE. A shared spreadsheet

ACD

Network segmentation can mitigate the risk of a vulnerability spreading beyond its initial attack vector. True or false?

T

Which architecture represents a cloud deployment that's isolated from other public users of that same cloud infrastructure?A. FirewallB. Virtual private clouds (VPC)C. Serverless computingD. Software-defined networking (SDN)

B

Server virtualization introduces security vulnerabilities by sharing underlying hardware with other virtual machines. True or false?

F

Which feature of a system is shared by all containers running on that system?A. Memory spaceB. Disk spaceC. Operating system kernelD. Network ports

C

Which important access control feature is used by both RBAC and ABAC?A. Permissions assigned to rolesB. Permissions assigned directly to usersC. Principle of Least PrivilegeD. Permissions derived from attributes

C

Account credentials should be encrypted both in-transit and at-rest by default. True or false?

T

A username and password authentication scheme is considered "Multi-Factor Authentication" because the username and password represent the two different factors. True or false?

F

A Honeypot has which of the following features? (Choose three)A. Excludes any sensitive dataB. An easy targetC. Isolated from secure systemsD. Automatically blocks known attack vectors

ABC

Documentation for software assurance come in which forms?A. Standard Operating Procedures and Information Assurance PlansB. Regulatory OversightC. Stackoverflow QueriesD. Continuous Integration / Continuous Deployment

A

Challenges for assuring mobile software include which of the following? (Choose three)A. Device AestheticsB. ConnectivityC. Physical SizeD. Limited ResourcesE. User Education

BCD

Web applications are often exposed over the public internet and this introduces additional security concerns. True or false?

T

Which trait is mostly unique to firmware?A. Publicly availableB. Deployed on the WebC. Easily assuredD. Tight coupling to the hardware

D

Which stage of the SDLC should Software Assurance be introduced at?A. Every stageB. DesignC. TestingD. Deployment

A

DevSecOps means integrating security assurance into the entire DevOps process and pipeline. True or false?

T

Which testing is the most discrete form of testing and often automated as part of a CI/CD pipeline?A. Unit TestingB. Integration TestingC. User Acceptance TestingD. Penetration Testing

A

You should classify all data input sources as which of the following?A. Trusted or UntrustedB. Public or PrivateC. High or LowD. Internal or External

A

Secure credentials are stored in which form?A. With two-way encryptionB. They're never storedC. Plain textD. Salted and Hashed

D

SAST tools can review your code while it's executing to identify flaws or vulnerabilities. True or false?

F

Pros of dynamic analysis tools include which of the following? (Choose three)A. Provides a real-use viewB. Are simple to configure and useC. Have a limited variety in optionsD. Captures information at a discrete levelE. Identifies distinct flaws from SAST

ADE

SAML relies on which format for data transfer?A. XMLB. Speech-to-TextC. CSVD. JSON

A

Which type of Root of Trust is hardwired into the PCB or system board of a system?A. USB DongleB. Certificate AuthorityC. TPMD. HSM

C

An eFuse bit can only be written to a single time. True or false?

T

UEFI provides the necessary functionality for which system level process?A. Secure BootB. Boot LoadersC. BIOSD. Anti-virus software

A

Which boot process validates each successive piece of software as they start and halts if invalid software is discovered?A. Measured BootB. UEFIC. Secure BootD. Bus Encryption

C

Which types of data are TEEs used to secure? (Choose three)A. DRM ControlsB. Payment/PCI DataC. Virus or Malware DefinitionsD. Biometric DataE. OS Versioning

ABD

Match the two types of keys with their purpose.1. User password to unlock the drive2. Private key used to secure data
A. Authentication KeyB. Data Encryption Key

AB

Which of the following would be a part of heuristic analysis? (Choose two)A. Code analysis of unexecuted filesB. Observing patterns in attack vectors on an institutionC. Observing code execution in a sandboxD. Noting relationships between network traffic and malware

AC

Which type of security log would be most useful in order to determine the centrally cached web sites?A. Syslog Server logB. Windows Security Event LogC. Proxy Server SyslogD. Proxy Server Log

D

Which command-line tool is used to send the results of an onscreen command to a text file?A. \>B. |C. \D. <

A

Which of the following is the most basic initial function of a SIEM system?A. Correlation via rulesB. Log aggregation dashboardC. Artificial IntelligenceD. Security Orchestration and Automation Response

B

Which log is associated with tracking both successful and failed authentication attempts on a Linux operating system?A. auth.logB. faillogC. security event logD. syslog

A

Which type of network analysis decodes the content of packets to see the application data moving through the network?A. Flow AnalysisB. DNS AnalysisC. Protocol AnalysisD. Packet Analysis

D

Which form of email security infrastructure specifically focuses on digital signatures of outbound email from a mail server?A. DNSB. DMARCC. DKIMD. SPF

C

Which type of email-related concern escalates most of the other security concerns?A. Embedded linksB. Forwarder redirectionC. Social engineeringD. Attachments

C

Which type of impact is best described as the impact to the data within a company?A. LocalB. OrganizationalC. TotalD. Immediate

A

Which permissions would let someone view and launch a file that used memory triggering a CPU process? (Choose two)A. DeleteB. PermissionsC. ReadD. WriteE. Execute

CE

Which of the following are the best candidates for a blacklist? (Choose two)A. FirewallsB. Network ACLsC. MalwareD. Malicious traffic patternsE. Permissions

CD

Regarding firewall passwords, which of the following typically cause the greatest vulnerabilities? (Choose two)A. Config filesB. UpdatesC. ZonesD. DefaultsE. Rules

AD

When IPS traffic is allowed through to the network when it should have been blocked, it's referred to as which of the following?A. False negativeB. False positiveC. Out-of-band enforcementD. Baseline

A

Which of the following are likely areas of management in a Data Loss Prevention system? (Choose three)A. PrintingB. PermissionsC. EmailD. SoftwareE. User Authentication

ACD

Which location is typical for an EDR agent installation?A. FirewallB. Virtual ServerC. RouterD. Switch

B

Which element of a NAC topology best describes a layer 2 switch?A. Authentication ServerB. SupplicantC. Internet of ThingsD. Authenticator

D

Which security infrastructure element is added in order to redirect endpoints to a new destination?A. SinkholeB. SandboxC. HoneynetD. Honeypot

A

Which of the following is the most valuable resource in proactive threat management?A. FirewallsB. PeopleC. Artificial IntelligenceD. Intrusion Detection Systems

B

Why do we need to learn about current threats in order to develop an accurate hypothesis to investigate? (Choose three)A. ProceduresB. PoliciesC. TitlesD. TechniquesE. Tactics

ADE

Which type of advanced persistent threat actor is known for having large resources and wanting to affect disruption in a foreign country?A. HacktivistB. Cyber CriminalC. Nation StateD. Cyber-Terrorist

C

Order the threat hunting step appropriately.A. Envision the AttackB. Keep LearningC. Look for AttacksD. Know Thyself

DACB

Which of the following is associated most with network controls rather than endpoint controls?A. Change defaultsB. Deny all ports and protocolsC. ContainerizationD. Desired State Configuration

B

Which of the following is the most valid definition of an attack vector?A. A method of attackB. Exploited vulnerabilitiesC. Agents of potential harm to an enterpriseD. Malware

A

Which of the following is the most accurate description of a system that gathers vast quantities of data through neural networks?A. Machine LearningB. Artificial IntelligenceC. Deep LearningD. Natural Intelligence

C

Which security protocol is associated with public key infrastructure (PKI) as it applies to automation?A. Common Platform Enumeration (CPE)B. Extensible Configuration Checklist Description Format (XCCDF)C. Trust Model for Security Automation Data (TMSAD)D. Open Vulnerability Language (OVAL)

C

Which of the following is an element of Security Orchestration Automation and Response (SOAR)? (Choose two)A. Perform action steps with integrated systemsB. Examine log for patternsC. Collect incoming data streamsD. Capture network traffic

AC

How do APIs allow for better security automation?A. Provide a language for scriptingB. Ensure automatic updatesC. Identify end usersD. Read and write to software systems configurations and data

D

Which of the following enables malware detection software to quickly recognize new variants of a strain of malware? (Choose two)A. Centralized malware databasesB. String hashesC. File hashesD. Deep learning

BD

You're a security analyst wanting to incorporate third-party up-to-date security information into the context of machine learning that's already using content from your SIEM. Which process should be used?A. Data DeduplicationB. Data EnrichmentC. Data MiningD. Data Cleansing

B

Which of the following is the best description of a methodology involving regular small incremental changes over the lifespan of a piece of software?A. Continuous DeliveryB. Continuous IntegrationC. Continuous DeploymentD. Security Automation

B

An incident response process is a methodology providing guidance on handling of cyber threats and breaches. True or false?

T

According to the NIST framework, what are the four objectives of incident response? (Choose four)A. PreparationB. ClassificationC. Containment, eradication, and recoveryD. Detection and analysisE. Post-incident activity

ACDE

A junior network analyst is monitoring network usage when he notices a huge usage on outbound network traffic. The traffic usage indicates a recent spiked bandwidth that has not been recorded. How would the analyst categorize this information?A. Employees downloading torrentsB. Timed out connectionsC. Potential indicator of compromiseD. Packet loss

C

Which of the following are categories of alerts? Choose all that apply.A. InformationalB. PartialC. MediumD. Critical

ACD

Which of the following is NOT a post incident activity?A. Lesson learned reportB. Incident response planningC. Evidence retentionD. Incident summary report

B