CompTIA CompTIA CySA+ CS0-002 Questions & Answers

• Question 1011:

  A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:

  

  Which of the following commands would work BEST to achieve the desired result?

  A. grep -v chatter14 chat.log

  B. grep -i pythonfun chat.log

  C. grep -i javashark chat.log

  D. grep -v javashark chat.log

  E. grep -v pythonfun chat.log

  F. grep -i chatter14 chat.log

  Correct Answer: D

• Question 1012:

  A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability?

  A. Deploy a WAF in front of the application.

  B. Implement a software repository management tool.

  C. Install a HIPS on the server.

  D. Instruct the developers to use input validation in the code.

  Correct Answer: B

• Question 1013:

  During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

  A. An IPS signature modification for the specific IP addresses

  B. An IDS signature modification for the specific IP addresses

  C. A firewall rule that will block port 80 traffic

  D. Implement a web proxy to restrict malicious web content

  Correct Answer: A

• Question 1014:

  A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:

  

  Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

  A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.

  B. Examine the server logs for further indicators of compromise of a web application.

  C. Run kill -9 1325 to bring the load average down so the server is usable again.

  D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

  Correct Answer: B

• Question 1015:

  A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats. Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

  A. Development of a hypothesis as part of threat hunting

  B. Log correlation, monitoring, and automated reporting through a SIEM platform

  C. Continuous compliance monitoring using SCAP dashboards

  D. Quarterly vulnerability scanning using credentialed scans

  Correct Answer: A

• Question 1016:

  While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be __________.

  A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

  B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.

  C. bridged between the IT and operational technology networks to allow authenticated access.

  D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

  Correct Answer: A

• Question 1017:

  A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

  

  Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

  A. PC1

  B. PC2

  C. Server1

  D. Server2

  E. Firewall

  Correct Answer: E

• Question 1018:

  An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

  As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

  A. Copies of prior audits that did not identify the servers as an issue

  B. Project plans relating to the replacement of the servers that were approved by management

  C. Minutes from meetings in which risk assessment activities addressing the servers were discussed

  D. ACLs from perimeter firewalls showing blocked access to the servers

  E. Copies of change orders relating to the vulnerable servers

  Correct Answer: B

• Question 1019:

  A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

  

  Which of the following can the analyst conclude?

  A. Malware is attempting to beacon to 128.50.100.3.

  B. The system is running a DoS attack against ajgidwle.com.

  C. The system is scanning ajgidwle.com for PII.

  D. Data is being exfiltrated over DNS.

  Correct Answer: D

• Question 1020:

  It is important to parameterize queries to prevent:

  A. the execution of unauthorized actions against a database.

  B. a memory overflow that executes code with elevated privileges.

  C. the establishment of a web shell that would allow unauthorized access.

  D. the queries from using an outdated library with security vulnerabilities.

  Correct Answer: A