CompTIA CySA CS0-002 Exam Updated Guides

Text Material Preview

CS0-002 CompTIA Cybersecurity Analyst (CySA+) Certification Exam exam
dumps questions are the best material for you to test all the related CompTIA
exam topics. By using the CS0-002 exam dumps questions and practicing your
skills, you can increase your confidence and chances of passing the CS0-002
exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all Dumpsinfo
files at lowest price.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam CS0-002 exam free
dumps questions are available below for you to study. 
Full version: CS0-002 Exam Dumps Questions
1.When investigating a report of a system compromise, a security analyst views the following
/var/log/secure log file:
Which of the following can the analyst conclude from viewing the log file?
A. The comptia user knows the sudo password.
B. The comptia user executed the sudo su command.
 1 / 20
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/cs0-002
C. The comptia user knows the root password.
D. The comptia user added himself or herself to the /etc/sudoers file.
Answer: B
Explanation:
The /var/log/secure log file is a file that records security-related events on a Linux system, such as
authentication attempts or sudo commands. The log file shows that the comptia user executed the
sudo su command, which allows the user to switch to the root account and gain superuser privileges.
The log file does not show that the comptia user knows the sudo password, knows the root password,
or added himself or herself to the /etc/sudoers file.
Reference: https://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/
2.During an Incident, it Is determined that a customer database containing email addresses, first
names, and last names was exfiltrated.
Which ot the following should the security analyst do NEXT?
A. Consult with the legal department for regulatory impact.
B. Encrypt the database with available tools.
C. Email the customers to inform them of the breach.
D. Follow the incident communications process.
Answer: D
Explanation:
An incident communications process is a set of procedures that defines how to communicate with
internal and external stakeholders during and after an incident, such as customers, employees,
management, regulators and media. An incident communications process can help to provide
accurate, timely and consistent information about the incident, its impact and the actions taken to
resolve it. An incident communications process can also help to maintain trust and reputation, comply
with legal obligations and prevent misinformation or confusion3.
3.A security analyst is running a tool against an executable of an unknown source.
The Input supplied by the tool to the executable program and the output from the executable are
shown below:
Which of the following should the analyst report after viewing this Information?
A. A dynamic library that is needed by the executable a missing
B. Input can be crafted to trigger an Infection attack in the executable
C. The toot caused a buffer overflow in the executable's memory
D. The executable attempted to execute a malicious command
Answer: C
Explanation:
A buffer overflow is a type of attack that exploits a vulnerability in an application or program that does
 2 / 20
https://www.dumpsinfo.com/
not properly check the size or boundaries of an input. A buffer overflow occurs when an attacker
supplies more data than the buffer can hold, causing the excess data to overwrite adjacent memory
locations. This can result in unpredictable behavior, such as crashes, errors, data corruption, or
execution of malicious code2. The tool that the analyst ran against the executable supplied an input
that was too long for the buffer allocated by the executable. This caused a buffer overflow in the
executable’s memory, as indicated by the error message “Segmentation fault (core dumped)”.
Reference: 2 Buffer Overflow - OWASP
4.Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively
improve detection capabilities are examples of the value of:
A. vulnerability scanning.
B. threat hunting.
C. red learning.
D. penetration testing.
Answer: B
Explanation:
Threat hunting is a proactive process of searching for signs of malicious activity or compromise within
a system or network, by using hypotheses, indicators of compromise, and analytical tools. Threat
hunting can help improve detection capabilities by identifying unknown threats, uncovering gaps in
security controls, and providing insights for remediation and prevention. Vulnerability scanning (A) is a
reactive process of scanning systems or networks for known vulnerabilities or weaknesses that can
be exploited by attackers. It can help identify and prioritize vulnerabilities, but not proactively hunt for
threats. Red teaming © is a simulated attack on a system or network by a group of ethical hackers
who act as adversaries and try to breach security controls. It can help test the effectiveness of
security defenses and response capabilities, but not proactively hunt for threats. Penetration testing
(D) is similar to red teaming, but with a more defined scope and objective. It can help evaluate the
security of a system or network by simulating real-world attacks and exploiting vulnerabilities, but not
proactively hunt for threats.
References:
https://www.techopedia.com/definition/33297/threat-hunting
https://www.techopedia.com/definition/4160/web-application-security-scanner-was
https://www.techopedia.com/definition/32694/red-teaming
https://www.techopedia.com/definition/13493/penetration-testing
5.During the security assessment of a new application, a tester attempts to log in to the application
but receives the following message incorrect password for given username.
Which of the following can the tester recommend to decrease the likelihood that a malicious attacker
will receive helpful information?
A. Set the web page to redirect to an application support page when a bad password is entered.
B. Disable error messaging for authentication
C. Recognize that error messaging does not provide confirmation of the correct element of
authentication
D. Avoid using password-based authentication for the application
Answer: B
Explanation:
Disabling error messaging for authentication would be the best recommendation to decrease the
likelihood that a malicious attacker will receive helpful information. Error messaging for authentication
is a feature that displays an error message when a user enters an incorrect username or password.
However, this feature can also provide useful information to an attacker who is trying to guess or
brute-force valid credentials. For example, if the error message says “incorrect password for given
 3 / 20
https://www.dumpsinfo.com/
username”, then the attacker knows that the username is valid and only needs to focus on cracking
the password. Disabling error messaging for authentication can help reduce this information leakage
and make it harder for an attacker to succeed.
6.An organization has the following policy statements:
• AlI emails entering or leaving the organization will be subject to inspection for malware, policy
violations, and unauthorized coolant.
• AM network activity will be logged and monitored.
• Confidential data will be tagged and tracked
• Confidential data must never be transmitted in an unencrypted form.
• Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?
A. Acceptable use policy
B. Data privacy policy
C. Encryption policy
D. Data management, policy
Answer: B
Explanation:
Data privacy policy is the organization’spolicy that defines how it collects, uses, stores, and shares
personal data of its customers, employees, or other stakeholders. Data privacy policy also covers
how the organization complies with relevant data protection laws and regulations, such as the
General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). The
policy statements listed in the question are examples of data privacy policy provisions that aim to
protect the confidentiality, integrity, and availability of personal data.
7.A security analyst observes a large amount of scanning activity coming from an IP address outside
the organization's environment.
Which of the following should the analyst do to block this activity?
A. Create an IPS rule to block the subnet.
B. Sinkhole the IP address.
C. Create a firewall rule to block the IP address.
D. Close all unnecessary open ports.
Answer: C
Explanation:
A firewall is a device or software that controls the incoming and outgoing network traffic based on
predefined rules. Creating a firewall rule to block the IP address that is scanning the organization’s
environment is an effective way to stop this activity and prevent potential attacks. Creating an IPS rule
to block the subnet, sinkholing the IP address, or closing all unnecessary open ports are other
possible actions, but they are not as specific or efficient as creating a firewall rule to block the IP
address.
Reference: https://www.cisco.com/c/en/us/solutions/small-business/resource-
center/security/firewall.html
8.A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply
to the company. The CISO has tasked a security analyst with finding the proper control functions to
verify that a user's data is not altered without the user's consent.
Which of the following would be an appropriate course of action?
A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
 4 / 20
https://www.dumpsinfo.com/
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized
changes.
Answer: A
Explanation:
Automating the use of a hashing algorithm after verified users make changes to their data is an
appropriate course of action to verify that a user’s data is not altered without the user’s consent.
Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file
or a message. Hashing can help to verify the data integrity by comparing the hash values of the
original and modified data. If the hash values match, then the data has not been altered without the
user’s consent. If the hash values differ, then the data may have been tampered with or corrupted.
9.As a proactive threat-hunting technique, hunters must develop situational cases based on likely
attack scenarios derived from the available threat intelligence information.
After forming the basis of the scenario, which of the following may the threat hunter construct to
establish a framework for threat assessment?
A. Critical asset list
B. Threat vector
C. Attack profile
D. Hypothesis
Answer: D
Explanation:
A hypothesis is a statement that can be tested by threat hunters to establish a framework for threat
assessment. A hypothesis is based on situational awareness and threat intelligence information, and
describes a possible attack scenario that may affect the organization. A hypothesis can help to guide
threat hunters in their investigation by providing a clear and specific question to answer, such as “Is
there any evidence of lateral movement within our network?” or “Are there any signs of data
exfiltration from our servers?”.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-hypothesis-development/
10.A cybersecurity analyst is concerned about attacks that use advanced evasion techniques.
Which of the following would best mitigate such attacks?
A. Keeping IPS rules up to date
B. Installing a proxy server
C. Applying network segmentation
D. Updating the antivirus software
Answer: A
Explanation:
Keeping IPS rules up to date is the best way to mitigate attacks that use advanced evasion
techniques. An IPS (intrusion prevention system) is a security device that monitors network traffic and
blocks or prevents malicious activity based on predefined rules or signatures. Advanced evasion
techniques are cyberattacks that combine various evasion methods to bypass security detection and
protection tools, such as IPS. Keeping IPS rules up to date can help to ensure that the IPS can
recognize and block the latest advanced evasion techniques and prevent them from compromising
the network.
11.A security officer needs to find the most cost-effective solution to the current data privacy and
protection gap found in the last security assessment .
Which of the following is the BEST recommendation?
 5 / 20
https://www.dumpsinfo.com/
A. Require users to sign NDAs
B. Create a data minimization plan.
C. Add access control requirements
D. Implement a data loss prevention solution
Answer: B
Explanation:
Creating a data minimization plan would be the most cost-effective solution to the current data privacy
and protection gap found in the last security assessment. Data minimization is a principle that states
that organizations should collect, store, process, and retain only the minimum amount of personal
data that is necessary for their legitimate purposes. Data minimization can help reduce the risk of
data breaches, data leaks, or data misuse by limiting the exposure and access to sensitive data. Data
minimization can also help comply with data protection regulations, such as the General Data
Protection Regulation (GDPR), that require organizations to justify their data collection and
processing activities. Data minimization can be achieved by implementing various measures, such as
deleting or anonymizing unnecessary data, applying retention policies, or using encryption or
pseudonymization techniques.
12.Due to continued support of legacy applications, an organization's enterprise password complexity
rules are inadequate for its required security posture.
Which of the following is the BEST compensating control to help reduce authentication compromises?
A. Smart cards
B. Multifactor authentication
C. Biometrics
D. Increased password-rotation frequency
Answer: B
Explanation:
Multifactor authentication is a method of verifying a user’s identity by requiring two or more pieces of
evidence, such as something the user knows (e.g., password), something the user has (e.g., token),
or something the user is (e.g., fingerprint). Multifactor authentication is the best compensating control
to help reduce authentication compromises when the organization’s enterprise password complexity
rules are inadequate for its required security posture. Smart cards, biometrics, or increased password-
rotation frequency are other possible controls, but they are not as effective or comprehensive as
multifactor authentication.
Reference: https://www.csoonline.com/article/3239144/what-is-multifactor-authentication-mfa-how-it-
works-and-why-you-need-it.html
13.A company has a cluster of web servers that is critical to the business. A systems administrator
installed a utility to troubleshoot an issue, and the utility caused the entire cluster to 90 offline.
Which of the following solutions would work BEST prevent to this from happening again?
A. Change management
B. Application whitelisting
C. Asset management
D. Privilege management
Answer: A
Explanation:
Change Management
o The process through which changes to the configuration of information systems are monitored and
controlled, as part of the organization's overall configurationmanagement efforts
o Each individual component should have a separate document or database record that describes its
initial state and subsequent changes Configuration information
 6 / 20
https://www.dumpsinfo.com/
Patches installed
Backup records
Incident reports/issues
o Change management ensures all changes are planned and controlled to minimize risk of a service
disruption
Change management is a process that ensures changes to systems or processes are introduced in a
controlled and coordinated manner. Change management helps to minimize the impact of changes
on the business operations and avoid unintended consequences or errors3 Change management can
help prevent the issue of utility installation affecting the web server cluster by ensuring that the utility
is properly planned, tested, approved, documented, communicated, and monitored.
Reference: 3 What is change management? | ITIL | AXELOS
14.While investigating reports or issues with a web server, a security analyst attempts to log in
remotely and recedes the following message:
The analyst accesses the server console, and the following console messages are displayed:
The analyst is also unable to log in on the console.
While reviewing network captures for the server, the analyst sees many packets with the following
signature:
Which of the following is the BEST step for the analyst to lake next in this situation?
A. Load the network captures into a protocol analyzer to further investigate the communication with
128.30.100.23, as this may be a botnet command server
B. After ensuring network captures from the server are saved isolate the server from the network take
a memory snapshot, reboot and log in to do further analysis.
C. Corporate data is being exfilltrated from the server Reboot the server and log in to see if it contains
any sensitive data.
D. Cryptomining malware is running on the server and utilizing an CPU and memory. Reboot the
server and disable any cron Jobs or startup scripts that start the mining software.
Answer: D
Explanation:
Cryptomining malware, or cryptojacking, is a type of malware that hides on a device and uses its
computing resources to mine for valuable online currencies like Bitcoin. Cryptomining malware can
 7 / 20
https://www.dumpsinfo.com/
cause performance issues, increased energy consumption, overheating, or hardware damage1
The analyst encountered cryptomining malware on the web server, as indicated by the following
signs:
✑ The analyst was unable to log in remotely or on the console, as the malware blocked access to
prevent detection or removal.
✑ The console messages showed that the server was running out of memory and CPU resources, as
the malware consumed all available resources for mining.
✑ The network captures showed many packets with a signature of “Stratum”, which is a protocol used
for communication between miners and mining pools2
The best step for the analyst to take next is to reboot the server and disable any cron jobs or startup
scripts that start the mining software. This can help stop the mining activity and restore access to the
server. The analyst should also scan the server for any other traces of malware and remove them.
Reference: 1 Cryptojacking C What is it, and how does it work? | Malwarebytes 2 Stratum (mining
protocol) - Bitcoin Wiki
15.Which of the following is a reason to use a nsk-based cybersecunty framework?
A. A risk-based approach always requires quantifying each cyber nsk faced by an organization
B. A risk-based approach better allocates an organization's resources against cyberthreats
and vulnerabilities
C. A risk-based approach is driven by regulatory compliance and es required for most organizations
D. A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-
based processes
Answer: B
Explanation:
A risk-based cybersecurity framework is a set of guidelines and best practices that helps an
organization identify, assess, prioritize, and mitigate cyber risks. By using a risk-based approach, an
organization can allocate its resources more efficiently and effectively to address the most critical and
likely cyber risks. A risk-based approach does not always require quantifying each cyber risk, nor is it
driven by regulatory compliance or prioritizes vulnerability remediation by threat hunting.
Reference: https://www.nist.gov/cyberframework/risk-management
16.A security officer needs to find the most cost-effective solution to the current data privacy and
protection gap found in the last security assessment.
Which of the following is the BEST recommendation?
A. Require users to sign NDAs
B. Create a data minimization plan.
C. Add access control requirements.
D. Implement a data loss prevention solution.
Answer: B
Explanation:
A data minimization plan is a strategy that aims to reduce the amount and type of data that an
organization collects, stores, and processes. It can help improve data privacy and protection by
limiting the exposure and impact of a data breach or loss. Creating a data minimization plan is the
best recommendation for a security officer who needs to find the most cost-effective solution to the
current data privacy and protection gap. Requiring users to sign NDAs, adding access control
requirements, or implementing a data loss prevention solution are other possible solutions, but they
are not as cost-effective as creating a data minimization plan.
Reference: https://www.csoonline.com/article/3603898/data-minimization-what-is-it-and-how-to-
implement-it.html
 8 / 20
https://www.dumpsinfo.com/
17.Which of the following is the best reason why organizations need operational security controls?
A. To supplement areas that other controls cannot address
B. To limit physical access to areas that contain sensitive data
C. To assess compliance automatically against a secure baseline
D. To prevent disclosure by potential insider threats
Answer: A
Explanation:
Operational security controls are security measures that are implemented and executed by people
rather than by systems. Operational security controls are needed to supplement areas that other
controls, such as technical or physical controls, cannot address. For example, operational security
controls can include policies, procedures, training, awareness, audits, reviews, testing, etc. These
controls can help ensure that employees follow best practices, comply with regulations, detect and
report incidents, and respond to emergencies. The other options are not specific to operational
security controls or are too narrow in scope. References: CompTIA Cybersecurity Analyst (CySA+)
Certification Exam Objectives (CS0-002), page 14; https://www.isaca.org/resources/isaca-
journal/issues/2016/volume-3/operational-security-controls
18.A financial institution's business unit plans to deploy a new technology in a manner that violates
existing information security standards.
Which of the following actions should the Chief Information Security Officer (CISO) take to manage
any type of violation?
A. Enforce the existing security standards and controls.
B. Perform a risk analysis and qualify the risk with legal.
C. Perform research and propose a better technology.
D. Enforce the standard permits.
Answer: B
Explanation:
The International Standards Organization, or ISO, develops standards for businesses around the
world so that they may operate using a uniform set of best practices. These standards are not
enforceable laws, but companies who choose to follow them stand to gain international credibility
from their compliance; standards are set as guidance for best practices but are not enforceable laws
19.A computer hardware manufacturer developing a new SoC that will be used by mobile devices.
The SoC should not allow users or the process to downgrade from a newer firmware to an older one.
Whichof the following can the hardware manufacturer implement to prevent firmware downgrades?
A. Encryption
B. eFuse
C. Secure Enclave
D. Trusted execution
Answer: B
Explanation:
An eFuse, or electronic fuse, is a microscopic fuse put into a computer chip that can be blown by
applying a high voltage or current. Once blown, an eFuse cannot be reset or repaired, and its state
can be read by software or hardware2 An eFuse can be used by a hardware manufacturer to prevent
firmware downgrades on a system-on-chip (SoC) that will be used by mobile devices. An eFuse can
store information such as the firmware version, security level, or device configuration on the chip.
When a newer firmware is installed, an eFuse can be blown to indicate the update and prevent
reverting to an older firmware. This can help protect the device from security vulnerabilities,
compatibility issues, or unauthorized modifications.
 9 / 20
https://www.dumpsinfo.com/
Reference: 2 eFuse - Wikipedia
20.A company has alerted planning the implemented a vulnerability management procedure.
However, to security maturity level is low, so there are some prerequisites to complete before risk
calculation and prioritization.
Which of the following should be completed FIRST?
A. A business Impact analysis
B. A system assessment
C. Communication of the risk factors
D. A risk identification process
Answer: A
Explanation:
A business impact analysis (BIA) should be completed first before risk calculation and prioritization. A
BIA is a process that identifies and evaluates the potential effects of disruptions to critical business
functions or processes. A BIA helps to determine the recovery priorities, objectives, and strategies for
the organization’s assets and resources1. A BIA is a prerequisite for risk calculation and prioritization
because it provides the basis for estimating the impact and likelihood of various threats and
vulnerabilities on the organization’s operations, reputation, and finances2.
21.A company experienced a security compromise due to the inappropriate disposal of one of its
hardware appliances. Sensitive information stored on the hardware appliance was not removed prior
to disposal.
Which of the following is the BEST manner in which to dispose of the hardware appliance?
A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal.
D. Establish guidelines for the handling of sensitive information.
Answer: B
Explanation:
Secure and thorough disposal can involve deleting or wiping all data from the hardware appliances,
physically destroying or shredding them, or recycling them through certified vendors or programs.
Compliance with company policies can help to ensure that the disposal follows the best practices and
standards for data protection and environmental responsibility .
References:
https://www.bestbuy.com/site/services/recycling/pcmcat149900050025.c?id=pcmcat149900050025 :
https://www.epa.gov/recycle/electronics-donation-and-recycling :
https://www.techtarget.com/searchdatacenter/tip/A-6-step-guide-for-hardware-disposal
22.As part of the senior leadership team's ongoing nsk management activities the Chief Information
Security Officer has tasked a security analyst with coordinating the right training and testing
methodology to respond to new business initiatives or significant changes to existing ones The
management team wants to examine a new business process that would use existing infrastructure to
process and store sensitive data .
Which of the following would be appropnate for the security analyst to coordinate?
A. A black-box penetration testing engagement
B. A tabletop exercise
C. Threat modeling
D. A business impact analysis
Answer: C
 10 / 20
https://www.dumpsinfo.com/
Explanation:
Threat modeling is a process that helps identify and analyze the potential threats and vulnerabilities of
a system or process. It can help evaluate the security risks and mitigation strategies of a new
business process that would use existing infrastructure to process and store sensitive data. A black-
box penetration testing engagement, a tabletop exercise, or a business impact analysis are other
methods that can be used to assess the security or resilience of a system or process, but they are not
as appropriate as threat modeling for coordinating the right training and testing methodology to
respond to new business initiatives or significant changes to existing ones.
Reference: https://owasp.org/www-community/Application_Threat_Modeling
23.A technician working at company.com received the following email:
After looking at the above communication, which of the following should the technician recommend to
the security team to prevent exposure of sensitive information and reduce the risk of corporate data
being stored on non-corporate assets?
A. Forwarding of corporate email should be disallowed by the company.
B. A VPN should be used to allow technicians to troubleshoot computer issues securely.
C. An email banner should be implemented to identify emails coming from external sources.
D. A rule should be placed on the DLP to flag employee IDs and serial numbers.
Answer: C
Explanation:
An email banner is a message that is added to the top or bottom of an email to provide some
information or warning to the recipient. An email banner should be implemented to identify emails
coming from external sources to prevent exposure of sensitive information and reduce the risk of
corporate data being stored on non-corporate assets. An email banner can help employees recognize
phishing or spoofing attempts and avoid clicking on malicious links or attachments. It can also remind
employees not to share confidential information with external parties or forward corporate emails to
personal accounts. The other options are not relevant or effective for this purpose. References:
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 13;
https://www.csoonline.com/article/3235970/what-is-spoofing-definition-and-how-to-prevent-it.html
24.Which of the following solutions is the BEST method to prevent unauthorized use of an API?
A. HTTPS
B. Geofencing
C. Rate liming
D. Authentication
Answer: D
Explanation:
 11 / 20
https://www.dumpsinfo.com/
Authentication is a method of verifying a user’s identity by requiring some piece of evidence, such as
something the user knows (e.g., password), something the user has (e.g., token), or something the
user is (e.g., fingerprint). Authentication is the best method to prevent unauthorized use of an API,
because it ensures that only legitimate users can access or use the API functions or data. HTTPS,
geofencing, or rate limiting are other methods that can enhance the security or performance of an
API, but they do not prevent unauthorized use of an API.
Reference: https://www.redhat.com/en/topics/api/what-is-api-security
25.A security analyst is performing a Diamond Model analysis of an incident the company had last
quarter.
A potential benefit of this activity is that it can identify:
A. detection and prevention capabilities to improve.
B. which systems were exploited more frequently.
C. possible evidence that is missing during forensic analysis.
D. which analysts require more training.
E. the time spent by analysts on each of the incidents.
Answer: A
Explanation:
A Diamond Model analysis of an incident is a framework that identifies the four essential features of
an attack: adversary, capability, infrastructure, and victim1 By analyzing these features and their
relationships, a security analyst can gain insights into the attack’s objectives, methods, sources, and
targets. A potentialbenefit of this activity is that it can identify detection and prevention capabilities to
improve, such as gaps in security controls, indicators of compromise, or mitigation strategies2
References: 1 What is the Diamond Model of Intrusion Analysis? 2 How to use the MITRE ATT&CK®
framework and diamond model of intrusion analysis together
26.Members of the sales team are using email to send sensitive client lists with contact information to
their personal accounts. The company's AUP and code of conduct prohibits this practice.
Which of the following configuration changes would improve security and help prevent this from
occurring?
A. Configure the DLP transport rules to provide deep content analysis.
B. Put employees' personal email accounts on the mail server on a blocklist.
C. Set up IPS to scan for outbound emails containing names and contact information.
D. Use Group Policy to prevent users from copying and pasting information into emails.
E. Move outbound emails containing names and contact information to a sandbox for further
examination.
Answer: A
Explanation:
Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized disclosure of
sensitive data. DLP transport rules are rules that apply to email messages that are sent or received
by an organization’s mail server. These rules can provide deep content analysis, which means they
can scan the content of email messages and attachments for sensitive data patterns, such as client
lists or contact information. If a rule detects a violation of the DLP policy, it can take actions such as
blocking, quarantining, or notifying the sender or recipient. This would improve security and help
prevent sales team members from sending sensitive client lists to their personal accounts.
References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
14; https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/data-loss-
prevention
 12 / 20
https://www.dumpsinfo.com/
27.A security analyst reviews SIEM logs and discovers the following error event:
Which of the following environments does the analyst need to examine to continue troubleshooting
the event?
A. Proxy server
B. SQL server
C. Windows domain controller
D. WAF appliance
E. DNS server
Answer: C
Explanation:
A Windows domain controller is a server that manages authentication and authorization for users and
computers in a Windows domain. A Windows domain controller uses Active Directory Domain
Services (AD DS) to store information about users, groups, computers, policies, and other objects in a
domain. A Windows domain controller can generate event logs that record various activities and
events related to security, system, application, etc. The event log shown in the question indicates that
it was generated by a Windows domain controller with an IP address of 10.0.0.1 and a hostname of
DC01.
Reference: What Is a Domain Controller? | Microsoft Docs
28.A security analyst at exampte.com receives a SIEM alert for an IDS signature and reviews the
associated packet capture and TCP stream:
Winch of the following actions should the security analyst lake NEXT?
A. Review the known Apache vulnerabilities to determine if a compromise actually occurred
B. Contact the application owner for connect example local tor additional information
 13 / 20
https://www.dumpsinfo.com/
C. Mark the alert as a false positive scan coming from an approved source.
D. Raise a request to the firewall team to block 203.0.113.15.
Answer: A
Explanation:
The security analyst should review the known Apache vulnerabilities to determine if a compromise
actually occurred. The SIEM alert indicates that an IDS signature detected an attempt to exploit a
vulnerability in Apache Struts 2 (CVE-2017-5638), which allows remote code execution via a crafted
Content-Type header4. The packet capture and TCP stream show that the attacker sent a malicious
request with a Content-Type header containing an OGNL expression that executes the command
“whoami” on the target server. However, this does not necessarily mean that the attack was
successful, as it depends on whether the target server was running a vulnerable version of Apache
Struts 2 or not. Therefore, the security analyst should review the known Apache vulnerabilities and
compare them with the version of Apache Struts 2 running on the server to confirm if a compromise
actually occurred or not.
29.A security analyst is correlating, ranking, and enriching raw data into a report that will be
interpreted by humans or machines to draw conclusions and create actionable recommendations .
Which of the following steps in the intelligence cycle is the security analyst performing?
A. Analysis and production
B. Processing and exploitation
C. Dissemination and evaluation
D. Data collection
E. Planning and direction
Answer: B
Explanation:
Processing and exploitation is the step in the intelligence cycle that involves converting raw data into
a format that can be used for analysis and producing intelligence products that can be disseminated
to consumers. The security analyst is performing this step by correlating, ranking, and enriching raw
data into a report. Analysis and production, dissemination and evaluation, data collection, and
planning and direction are other steps in the intelligence cycle, but they do not match the description
of the security analyst’s task.
Reference: https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-
archive/intelligence-cycle.html
30.During an audit, several customer order forms were found to contain inconsistencies between the
actual price of an item and the amount charged to the customer. Further investigation narrowed the
cause of the issue to manipulation of the public-facing web form used by customers to order products.
Which of the following would be the best way to locate this issue?
A. Reduce the session timeout threshold
B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a dynamic code analysis.
Answer: C
Explanation:
Implementing input validation is the best way to locate and prevent the issue of manipulation of the
public-facing web form used by customers to order products. Input validation is a technique that
checks and filters any user input that is sent to an application before processing it. Input validation
can help to ensure that the user input conforms to the expected format, length and type, and does not
contain any malicious characters or syntax that may alter the logic or behavior of the application.
Input validation can also reject or sanitize any input that does not meet the validation criteria.
 14 / 20
https://www.dumpsinfo.com/
Reference: https://portswigger.net/web-security/input-validation
31.An organization prohibits users from logging in to the administrator account. If a user requires
elevated permissions. the user's account should be part of an administrator group, and the user
should escalate permission only as needed and on a temporary basis.
The organization has the following reporting priorities when reviewing system activity:
• Successful administrator login reporting priority - high
• Failed administrator login reporting priority - medium
• Failed temporary elevated permissions - low
• Successful temporary elevated permissions - non-reportable
A security analyst is reviewing server syslogs and sees the following:
Which of the following events is the HIGHEST reporting priority?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation:
Option A shows a successful administrator login from an IP address that is not part of the
organization’s network. This is a high reporting priority event, because it violates the organization’s
policy that prohibits users from logging in to the administrator accountand it could indicate a
compromise of the administrator credentials or a malicious insider. Option B shows a failed
administrator login from an IP address that is part of the organization’s network. This is a medium
reporting priority event, because it could indicate an unauthorized attempt to access the administrator
account. Option C shows a failed temporary elevated permission request from a user account that is
part of the organization’s network. This is a low reporting priority event, because it could indicate a
user error or a legitimate need for elevated permission that was denied. Option D shows a successful
temporary elevated permission request from a user account that is part of the organization’s network.
This is a non-reportable event, because it complies with the organization’s policy that allows users to
escalate permission only as needed and on a temporary basis.
Reference: https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-systems-
microsoft-windows-event-logs-2074
32.A company's threat team has been reviewing recent security incidents and looking for a common
theme. The team discovered the incidents were caused by incorrect configurations on the impacted
systems. The issues were reported to support teams, but no action was taken.
Which of the following is the next step the company should take to ensure any future issues are
remediated?
A. Require support teams to develop a corrective control that ensures security failures are addressed
once they are identified.
B. Require support teams to develop a preventive control that ensures new systems are built with the
required security configurations.
 15 / 20
https://www.dumpsinfo.com/
C. Require support teams to develop a detective control that ensures they continuously assess
systems for configuration errors.
D. Require support teams to develop a managerial control that ensures systems have a documented
configuration baseline.
Answer: A
Explanation:
Requiring support teams to develop a corrective control that ensures security failures are addressed
once they are identified is the best step to prevent future issues from being remediated. Corrective
controls are actions or mechanisms that are implemented after a security incident or failure has
occurred to fix or restore the normal state of the system or network. Corrective controls can include
patching, updating, repairing, restoring, or reconfiguring systems or components that were affected by
the incident or failure .
Reference: https://www.techopedia.com/definition/10339/memory-dump
33.White reviewing incident reports from the previous night, a security analyst notices the corporate
websites were defaced with po mcai propaganda.
Which of the following BEST Describes this type of actor?
A. Hacktivist
B. Nation-state
C. insider threat
D. Organized crime
Answer: A
Explanation:
A hacktivist is a type of actor who uses hacking techniques to promote a political or social cause or
agenda. Hacktivists often target websites or systems of organizations or governments that they
oppose or disagree with, and deface them with messages or propaganda related to their cause. In
this case, the hacktivist defaced the corporate websites with political propaganda.
Reference: What is Hacktivism? | Kaspersky
34.An organization has the following risk mitigation policy:
Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, D, C
B. A, B, C, D
C. D, A, B, C
D. D, A, C, B
Answer: D
 16 / 20
https://www.dumpsinfo.com/
Explanation:
According to the risk mitigation policy, risks with a probability of 95% or greater will be addressed first,
regardless of the impact. Therefore, risk D is the highest priority, as it has a probability of 95% and an
impact of $100,000. The next priority is risk A, which has a probability of 90% and an impact of
$200,000. The remaining risks will be prioritized based on their risk value, which is calculated by
multiplying the probability and the impact. Risk C has a risk value of $40,000 (80% x $50,000), while
risk B has a risk value of $30,000 (60% x $50,000). Therefore, risk C is higher priority than risk B.
35.During a company’s most recent incident, a vulnerability in custom software was exploited on an
externally facing server by an APT.
The lessons-learned report noted the following:
• The development team used a new software language that was not supported by the security team's
automated assessment tools.
• During the deployment, the security assessment team was unfamiliar with the new language and
struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not
detected.
• The current IPS did not have effective signatures and policies in place to detect and prevent runtime
attacks on the new application.
To allow this new technology to be deployed securely going forward, which of the following will BEST
address these findings? (Choose two.)
A. Train the security assessment team to evaluate the new language and verify that best practices for
secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these
vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already
familiar with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to
adjacent systems
E. Instruct only the development team to document the remediation steps for this
vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor
so the risk is transferred to that provider
Answer: A,B
Explanation:
The solution will address the findings that the development team used a new software language that
was not supported by the security team's automated assessment tools and the security assessment
team was unfamiliar with the new language and struggled to evaluate the software during advanced
testing. The training of the security assessment team and working with the automated assessment-
tool vendor to add support for the new language will ensure that future deployments of the new
technology are secure and the vulnerabilities are detected and prevented.
36.A security analyst needs to provide the development learn with secure connectivity from the
corporate network to a three-tier cloud environment. The developers require access to servers in all
three tiers in order to perform various configuration tasks.
Which of the following technologies should the analyst implement to provide secure transport?
A. CASB
B. VPC
C. Federation
D. VPN
Answer: D
 17 / 20
https://www.dumpsinfo.com/
Explanation:
What is the difference between VPN and VPC?
Just as a virtual private network (VPN) provides secure data transfer over the public Internet, a VPC
provides secure data transfer between a private enterprise and a public cloud provider.
VPN (Virtual Private Network) is a technology that provides secure connectivity from the corporate
network to a cloud environment. VPN creates an encrypted tunnel between the two networks,
allowing developers to access servers in all three tiers of the cloud environment without exposing
their traffic to interception or tampering. VPN can also provide authentication and authorization
mechanisms to verify the identity and permissions of the developers.
37.After detecting possible malicious external scanning, an internal vulnerability scan was performed,
and a critical server was found with an outdated version of JBoss. A legacy application that is runningdepends on that version of JBoss.
Which of the following actions should be taken FIRST to prevent server compromise and business
disruption at the same time?
A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply visualization over the server, using the new platform to provide the JBoss service for the
legacy application as an external service.
Answer: C
Explanation:
What is that application for? "The DMZ is a special network zone designed to house systems that
receive connections from the outside world, such as web and email servers. Sound firewall designs
place these systems on an isolated network where, if they become compromised, they pose little
threat to the internal network because connections between the DMZ and the internal network must
still pass through the firewall and are subject to its security policy"
Creating a proper DMZ for outdated components and segregating the JBoss server is the best action
to take first to prevent server compromise and business disruption at the same time. A DMZ
(demilitarized zone) is a network segment that separates internal networks from external networks,
such as the internet, and provides an additional layer of security3. Creating a proper DMZ for
outdated components and segregating the JBoss server can isolate and protect the critical server
from external attacks that may exploit its vulnerability.
38.A security analyst who works in the SOC receives a new requirement to monitor for indicators of
compromise.
Which of the following is the first action the analyst should take in this situation?
A. Develop a dashboard to track the indicators of compromise.
B. Develop a query to search for the indicators of compromise.
C. Develop a new signature to alert on the indicators of compromise.
D. Develop a new signature to block the indicators of compromise.
Answer: B
Explanation:
Developing a query to search for the indicators of compromise is the first action the analyst should
take in this situation. Indicators of compromise (IOCs) are pieces of information that suggest a system
or network has been compromised by an attacker. IOCs can include IP addresses, domain names,
file hashes, URLs, or other artifacts that are associated with malicious activity. Developing a query to
search for IOCs can help to identify any potential incidents or threats in the environment and initiate
further investigation or response.
Reference: https://www.crowdstrike.com/cybersecurity-101/incident-response/indicators-of-
 18 / 20
https://www.dumpsinfo.com/
compromise/
39.Which of the following can detect vulnerable third-parly libraries before code deployment?
A. Impact analysis
B. Dynamic analysis
C. Static analysis
D. Protocol analysis
Answer: C
Explanation:
Static analysis is a method of analyzing the source code or binary code of an application without
executing it. Static analysis can detect vulnerable third-party libraries before code deployment by
scanning the code for references to known vulnerable libraries or versions and reporting any issues or
risks12.
Impact analysis is a process of assessing the potential effects of a change on a system or service,
such as performance, availability, security and compatibility. Impact analysis does not detect
vulnerable third-party libraries before code deployment, but rather helps to evaluate and communicate
the consequences of a change.
Dynamic analysis is a method of analyzing the behavior or performance of an application by
executing it under various conditions or inputs. Dynamic analysis does not detect vulnerable third-
party libraries before code deployment, but rather helps to identify any errors or defects that occur at
runtime.
Protocol analysis is a method of examining the data exchanged between devices or applications over
a network by capturing and interpreting the packets or messages. Protocol analysis does not detect
vulnerable third-party libraries before code deployment, but rather helps to monitor and troubleshoot
network communication.
40.A Chief Information Officer wants to implement a BYOD strategy for all company laptops and
mobile phones. The Chief Information Security Officer is concerned with ensuring all devices are
patched and running some sort of protection against malicious software.
Which of the following existing technical controls should a security analyst recommend to best meet
all the requirements?
A. EDR
B. Port security
C. NAC
D. Segmentation
Answer: A
Explanation:
EDR stands for endpoint detection and response, which is a type of security solution that monitors
and protects all devices that are connected to a network, such as laptops and mobile phones. EDR
can help to ensure that all devices are patched and running some sort of protection against malicious
software by providing continuous visibility, threat detection, incident response, and remediation
capabilities. EDR can also help to enforce security policies and compliance requirements across all
devices.
Reference: https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/
41.Wncn of the following provides an automated approach 10 checking a system configuration?
A. SCAP
B. CI/CD
C. OVAL
 19 / 20
https://www.dumpsinfo.com/
D. Scripting
E. SOAR
Answer: A
Explanation:
SCAP stands for Security Content Automation Protocol, which is a set of standards and specifications
that allows automated configuration and vulnerability management of systems. SCAP provides an
automated approach to checking a system configuration by using standardized expressions and
formats to evaluate the system’s compliance with predefined policies or benchmarks. CI/CD, OVAL,
scripting, or SOAR are other terms related to automation or security, but they do not provide an
automated approach to checking a system configuration.
Reference: https://csrc.nist.gov/projects/security-content-automation-protocol
42.A security analyst discovers the accounting department is hosting an accounts receivable form on
a public document service. Anyone with the link can access it.
Which of the following threats applies to this situation?
A. Potential data loss to external users
B. Loss of public/private key management
C. Cloud-based authentication attack
D. Identification and authentication failures
Answer: A
Explanation:
Potential data loss to external users is a threat that applies to this situation, where the accounting
department is hosting an accounts receivable form on a public document service. Anyone with the link
can access it. Data loss is an event that results in the destruction, corruption, or unauthorized
disclosure of sensitive or confidential data. Data loss can occur due to various reasons, such as
human error, hardware failure, malware infection, or cyberattack. In this case, hosting an accounts
receivable form on a public document service exposes the data to potential data loss to external
users who may access it without authorization or maliciously modify or delete it .
 20 / 20
https://www.dumpsinfo.com/