CompTIA CompTIA CySA+ CS0-002 Questions & Answers

• Question 31:

  An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the DNS entry and sees the following: v=spf1 ip4:180.10.6.5 ip4:180.10.6.10 include:robustmail.com `"all The organization's primary mail server IP is 180.10.6.6, and the secondary mail server IP is 180.10.6.5. The organization's third-party mail provider is "Robust Mail" with the domain name robustmail.com. Which of the following is the MOST

  likely reason for the rejected emails?

  A. SPF version 1 does not support third-party providers.

  B. The primary and secondary email server IP addresses are out of sequence.

  C. An incorrect IP version is being used.

  D. The wrong domain name is in the SPF record.

  Correct Answer: D

• Question 32:

  An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization's security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors. Which of the following would be the BEST recommendation for the security analyst to provide?

  A. The organization should use a certified, trusted vendor as part of the supply chain.

  B. The organization should evaluate current NDAs to ensure enforceability of legal actions.

  C. The organization should maintain the relationship with the vendor and enforce vulnerability scans.

  D. The organization should ensure all motherboards are equipped with a TPM.

  Correct Answer: A

• Question 33:

  A security analyst needs to identify possible threats to a complex system a client is developing. Which of the following methodologies would BEST address this task?

  A. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges (STRIDE)

  B. Software Assurance Maturity Model (SAMM)

  C. Open Web Application Security Project (OWASP)

  D. Open Source Security Information Management (OSSIM)

  Correct Answer: C

• Question 34:

  A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following:

  Issued to: [email protected] Issued by: certServer.company.com Valid from: 1/1/2020 to 1/1/2030

  Which of the following should the security analyst conclude?

  A. [email protected] is a malicious insider.

  B. The valid dates are too far apart and are generating the alerts.

  C. certServer has been compromised.

  D. The root certificate was not installed in the trusted store.

  Correct Answer: D

  When a user receives an email with a self-signed certificate, the email client will typically show a warning or error message if the certificate is not valid. One of the possible causes of this warning is if the root certificate was not installed in the trusted store. This means that the client doesn't trust the certificate and, as a result, it is not able to establish a secure connection with the sender's email server. This will cause a warning message to be displayed to the user.

• Question 35:

  Management would like to make changes to the company's infrastructure following a recent incident in which a malicious insider was able to pivot to another workstation that had access to the server environment. Which of the following controls would work BEST to prevent this type of event from reoccurring?

  A. EDR

  B. DLP

  C. NAC

  D. IPS

  Correct Answer: B

• Question 36:

  A security analyst is monitoring a company's network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the BEST way for the security analyst to respond?

  A. Report this activity as a false positive, as the activity is legitimate.

  B. Isolate the system and begin a forensic investigation to determine what was compromised.

  C. Recommend network segmentation to management as a way to secure the various environments.

  D. Implement host-based firewalls on all systems to prevent ping sweeps in the future.

  Correct Answer: B

• Question 37:

  A managed security service provider (MSSP) has alerted a user that an account was added to the local administrator group for the servers named EC2AMAZ-HG87B4 and EC2AMAZ-B643M2. A security analyst logs in to the cloud provider's graphical user interface to determine the IP addresses of the servers and sees the following data:

  

  Which of the following changes to the current architecture would work BEST to help the analyst to troubleshoot future alerts?

  A. Rename all hosts to the value listed in the instance ID field.

  B. Create a standard naming convention for all hostnames.

  C. Create an asset tag that identifies each instance by hostname.

  D. Instruct the MSSP to add the platform name from the cloud console to all alerts.

  Correct Answer: C

• Question 38:

  A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails shown below:

  Return-Path: [email protected] Received: from [122.167.40.119] Message-ID: Date: 23 May 2020 11:40:36 -0400 From: [email protected] X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Vieira Subject: Account Lockout Content-Type: HTML;

  Office 365 User,

  It looks like your account has been locked out. Please click this link and follow the prompts to restore access.

  Regards,

  Security Team

  Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?

  A. telnet off1ce365.com 25

  B. tracert 122.167.40.119

  C. curl http://accountfix-office356.com/login.php

  D. nslookup accountfix-office356.com

  Correct Answer: D

• Question 39:

  A host is spamming the network unintentionally. Which of the following control types should be used to address this situation?

  A. Managerial

  B. Technical

  C. Operational

  D. Corrective

  Correct Answer: B

• Question 40:

  A company recently hired a new SOC provider and implemented new incident response procedures. Which of the following conjoined approaches would MOST likely be used to evaluate the new implementations for monitoring and incident response at the same time? (Choose two.)

  A. Blue-team exercise

  B. Disaster recovery exercise

  C. Red-team exercise

  D. Gray-box penetration test

  E. Tabletop exercise

  F. Risk assessment

  Correct Answer: AE

  A. Blue-team exercise: A blue team exercise is a simulated attack designed to test and evaluate the effectiveness of an organization's security operations center (SOC) and incident response procedures. During a blue team exercise, the SOC team will attempt to detect and respond to a simulated attack in real-time, allowing the organization to evaluate its ability to detect and respond to threats effectively.

  E. Tabletop exercise: A tabletop exercise is a simulation of a real-world scenario that is designed to test an organization's incident response plan. During a tabletop exercise, the SOC team will work through a simulated attack scenario and evaluate the effectiveness of the incident response plan and the procedures in place to detect, respond, and mitigate the threat.