1. Home
  2. CompTIA
  3. CS0-002

CompTIA CS0-002 Online Practice Questions and Exam Preparation

CS0-002 Exam Details

  • Exam Code
    :CS0-002
  • Exam Name
    :CompTIA Cybersecurity Analyst (CySA+)
  • Certification
    :CompTIA Certifications
  • Vendor
    :CompTIA
  • Total Questions
    :1059 Q&As
  • Last Updated
    :May 30, 2026

CompTIA CS0-002 Online Questions & Answers

  • Question 921:

    Some hard disks need to be taken as evidence for further analysis during an incident response.

    Which of the following procedures must be completed FIRST for this type of evtdertce acquisition?

    A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from non-authorized access
    B. Build the chain-of-custody document, noting the media model senal number size vendor, date, and time of acquisition
    C. Perform a disk sanitation using the command 8dd if=/d/zo of=/d/c b?iM over the media that wil receive a copy of the coHected data
    D. Execute the command #dd if=/dev/ada of=/dev/adc ba=5i2 to clone the evidence data to external media to prevent any further change

  • Question 922:

    After receiving reports latency, a security analyst performs an Nmap scan and observes the following output:

    Which of the following suggests the system that produced output was compromised?

    A. Secure shell is operating of compromise on this system.
    B. There are no indicators of compromise on this system.
    C. MySQL services is identified on a standard PostgreSQL port.
    D. Standard HTP is open on the system and should be closed.

  • Question 923:

    An organization's network administrator uncovered a rogue device on the network that is emulating the characteristics of a switch. The device is trunking protocols and inserting tagging values to control the flow of traffic at the data link layer. Which of the following BEST describes the attack?

    A. DNS pharming
    B. VLAN hopping
    C. Spoofing
    D. Injection attack

  • Question 924:

    A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take?

    A. Disable the appropriate settings in the administrative template of the Group Policy.
    B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
    C. Modify the registry keys that correlate with the access settings for the System32 directory.
    D. Remove the user's permissions from the various system executables.

  • Question 925:

    An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan?

    A. Conduct a risk assessment.
    B. Develop a data retention policy.
    C. Execute vulnerability scanning.
    D. Identify assets.

  • Question 926:

    SIMULATION

    Part1-AppServ3

    You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of the servers and recommend changes if you find they are not. The company's hardening guidelines indicate the following:

    1. TLS 1.2 is the only version of TLS running.

    2. Apache 2.4.18 or greater should be used.

    3. Only default ports should be used.

    INSTRUCTIONS

    Using the supplied data, record the status of compliance with the company's guidelines for each server.

    The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for issues based ONLY on the hardening guidelines provided.

    Hot Area:

  • Question 927:

    An analyst has received a notification about potential malicious activity against a web server. The analyst logs in to a central log collection server and runs the following command: "cat access.log.1 | grep "union". The output shown below appears:

    <68.71.54.117> ??[31/Jan/2020:10:02:31 ?400] "Get /cgi-bin/backend1.sh?id=%20union%20select%20192.168.60.50 HTTP/1.1"

    Which of the following attacks has occurred on the server?

    A. Cross-site request forgery
    B. SQL injection
    C. Cross-site scripting
    D. Directory traversal

  • Question 928:

    An analyst received a forensically sound copy of an employee's hard drive. The employee's manager suspects inappropriate images may have been deleted from the hard drive. Which of the following could help the analyst recover the deleted evidence?

    A. File hashing utility
    B. File timestamps
    C. File carving tool
    D. File analysis tool

  • Question 929:

    A suite of three production servers that were originally configured identically underwent the same vulnerability scans. However, recent results revealed the three servers has different critical vulnerabilities. The servers are not accessible by the Internet, and AV programs have not detected any malware. The servers' syslog files do not show any unusual traffic since they were installed and are physically isolated in an off-site datacenter. Checksum testing of random executables does not reveal tampering. Which of the following scenarios is MOST likely?

    A. Servers have not been scanned with the latest vulnerability signature
    B. Servers have been attacked by outsiders using zero-day vulnerabilities
    C. Servers were made by different manufacturers
    D. Servers have received different levels of attention during previous patch management events

  • Question 930:

    A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs?

    A. Sinkhole
    B. Block ports and services
    C. Patches
    D. Endpoint security

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CS0-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.