CompTIA CompTIA CySA+ CS0-002 Questions & Answers

• Question 131:

  A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner. Which of the following frameworks would BEST apply in this situation?

  A. Pyramid of Pain

  B. MITRE ATTandCK

  C. Diamond Model of Intrusion Analysis

  D. CVSS v3.0

  Correct Answer: B

• Question 132:

  A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be:

  A. proprietary and timely

  B. proprietary and accurate

  C. relevant and deep

  D. relevant and accurate

  Correct Answer: D

• Question 133:

  An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service?

  A. Manually log in to the service and upload data files on a regular basis

  B. Have the internal development team script connectivity and file transfers to the new service

  C. Create a dedicated SFTP site and schedule transfers to ensure file transport security

  D. Utilize the cloud product's API for supported and ongoing integrations

  Correct Answer: D

• Question 134:

  A security analyst is reviewing the following DNS logs as part of security-monitoring activities:

  

  Which of the following MOST likely occurred?

  A. The attack used an algorithm to generate command and control information dynamically

  B. The attack attempted to contact www.google.com to verify Internet connectivity

  C. The attack used encryption to obfuscate the payload and bypass detection by an IDS

  D. The attack caused an internal host to connect to a command and control server

  Correct Answer: A

  DGA with a Fast flux server hiding the presence of a Command and control network.

• Question 135:

  A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?

  A. The malware is fileless and exists only in physical memory

  B. The malware detects and prevents its own execution in a virtual environment

  C. The antivirus does not have the malware's signature

  D. The malware is being executed with administrative privileges

  Correct Answer: A

• Question 136:

  A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the MOST appropriate product category for this purpose?

  A. SCAP

  B. SOAR

  C. UEBA

  D. WAF

  Correct Answer: C

  UEBA stands for User and Entity Behavior Analytics and was previously known as user behavior analytics (UBA).

• Question 137:

  A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization?

  A. Establish a recovery time objective and a recovery point objective for the systems being moved

  B. Calculate the resource requirements for moving the systems to the cloud

  C. Determine recovery priorities for the assets being moved to the cloud-based systems

  D. Identify the business processes that will be migrated and the criticality of each one

  E. Perform an inventory of the servers that will be moving and assign priority to each one

  Correct Answer: D

• Question 138:

  While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from being successful?

  A. Create a new rule in the IDS that triggers an alert on repeated login attempts

  B. Implement MFA on the email portal using out-of-band code delivery

  C. Alter the lockout policy to ensure users are permanently locked out after five attempts

  D. Leverage password filters to prevent weak passwords on employee accounts from being exploited

  E. Configure a WAF with brute-force protection rules in block mode

  Correct Answer: B

• Question 139:

  A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan?

  A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations.

  B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations.

  C. Make sure the scan is credentialed, has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations.

  D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.

  Correct Answer: D

• Question 140:

  A security analyst is probing a company's public-facing servers for vulnerabilities and obtains the following output:

  

  Which of the following changes should the analyst recommend FIRST?

  A. Implement File Transfer Protocol Secure on the upload server

  B. Disable anonymous login on the web server

  C. Configure firewall changes to close port 445 on 124.45.23.112

  D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108

  Correct Answer: C

  SMB exploitation and remote code execution can do a lot more damage to files/network compared to a DoS causing a site to be down.