Exam Details

  • Exam Code
    :CS0-002
  • Exam Name
    :CompTIA Cybersecurity Analyst (CySA+)
  • Certification
    :CompTIA CySA+
  • Vendor
    :CompTIA
  • Total Questions
    :1059 Q&As
  • Last Updated
    :Mar 21, 2024

CompTIA CompTIA CySA+ CS0-002 Questions & Answers

  • Question 51:

    A security team wants to make SaaS solutions accessible from only the corporate campus.

    Which of the following would BEST accomplish this goal?

    A. Geotagging

    B. IP restrictions

    C. Reverse proxy

    D. Single sign-on

  • Question 52:

    A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award. The company needs to implement a legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract. Which of the following describes the appropriate steps that should be taken to comply with the legal notice?

    A. Notify the security team of the legal hold and remove user access to the email accounts.

    B. Coordinate with legal counsel and then notify the security team to ensure the appropriate email accounts are frozen.

    C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business.

    D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.

  • Question 53:

    A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

    A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.

    B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed.

    C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.

    D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.

  • Question 54:

    An organization recently discovered a malware sample on an internal server. IoCs showed the malware sample was running on port 27573. The incident response team successfully removed the malware from the server, but the organization is now concerned about other instances of the malware being installed on another server. The following network traffic was captured after the known malware was assumed to be eradicated:

    32.123456 192.168.1.134 -> 192.168.1.101 TCP 58 25101 > 27573 [SYN] seq=0 Win=4096 Len=0 32.235433 192.168.1.101 -> 192.168.1.134 TCP 58 27573 > 25101 [SYN, ACK 1 seq=0 Win=4096 Len=0 32.301211 192.168.1.134 -> 192.168.1.102 TCP 58 27103 > 27573 [SYN] seq=0 Win=4096 Len=0 32.419921 192.168.1.134 -> 192.168.1.103 TCP 58 54975 > 27573 [SYN] seq=0 Win=4096 Len=0 32.501843 192.168.1.134 -> 192.168.1.104 TCP 58 60397 > 27573 [SYN] seq=0 Win=4096 Len=0

    Which of the following can the organization conclude?

    A. The malware was installed on servers 192.168.1.102, 192.168.1.103, and 192.168.1.104.

    B. Only the server at 192.168.1.103 has an indication of a possible compromise.

    C. Only the server at 192.168.1.104 has an indication of a possible compromise.

    D. Both servers 192.168.1.101 and 192.168.1.134 indicate a possible compromise.

    E. The server at 192.168.1.134 is exfiltrating data in 25KB files to servers throughout the organization.

  • Question 55:

    During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?

    A. Warn the incident response team that the server can be compromised.

    B. Open a ticket informing the development team about the alerts.

    C. Check if temporary files are being monitored.

    D. Dismiss the alert, as the new application is still being adapted to the environment.

  • Question 56:

    A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch. Which of the following BEST describes the reason for the analyst's immediate action?

    A. Nation-state hackers are targeting the region.

    B. A new vulnerability was discovered by a vendor.

    C. A known exploit was discovered.

    D. A new zero-day threat needs to be addressed.

    E. There is an insider threat.

  • Question 57:

    Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?

    A. Input validation

    B. SQL injection

    C. Parameterized queries

    D. Web-application firewall

    E. Multifactor authentication

  • Question 58:

    A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following explains the reason why an architect would set up the network this way?

    A. To complicate the network and frustrate a potential malicious attacker

    B. To create a design that simplifies the supporting network

    C. To reduce the attack surface of those systems by segmenting the network based on risk

    D. To reduce the number of IP addresses that are used on the network

  • Question 59:

    A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation and brute forcing. Which of the following frameworks or models did the security team MOST likely use to identify the tactics and techniques?

    A. MITRE ATTandCK

    B. ITIL

    C. Kill chain

    D. Diamond Model of Intrusion Analysis

  • Question 60:

    A security analyst needs to acquire evidence by cloning hard drives, which will then be acquired by a third-party forensic lab. The security analyst is concerned about modifying evidence on the hard drives. Which of the following should be the NEXT step to preserve the evidence?

    A. Apply encryption over the data during the evidence collection process.

    B. Create a file hash of the drive images and clones.

    C. Use an encrypted USB stick to transfer the data from the hard drives.

    D. Initiate a chain of custody document and ask the data owner to sign it.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CS0-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.