Recommend!!

Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

CompTIA
Exam Questions CS0-002
CompTIA Cybersecurity Analyst (CySA+) Certification Exam

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 1
A company has alerted planning the implemented a vulnerability management procedure. However, to security maturity level is low, so there are some
prerequisites to complete before risk calculation and prioritization.
Which of the following should be completed FIRST?

A. A business Impact analysis

B. A system assessment
C. Communication of the risk factors
D. A risk identification process

Answer: A

Explanation:
A business impact analysis (BIA) should be completed first before risk calculation and prioritization. A BIA is a process that identifies and evaluates the potential
effects of disruptions to critical business functions or processes. A BIA helps to determine the recovery priorities, objectives, and strategies for the organization’s
assets and resources1. A BIA is a prerequisite for risk calculation and prioritization because it provides the basis for estimating the impact and likelihood of various
threats and vulnerabilities on the organization’s operations, reputation, and finances2.

NEW QUESTION 2
After running the cat file01.bin | hexdump -c command, a security analyst reviews the following output snippet:
00000000 ff d8 ft e0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......|
Which of the following digital-forensics techniques is the analyst using?

A. Reviewing the file hash

B. Debugging the binary file
C. Implementing file carving
D. Verifying the file type
E. Utilizing reverse engineering

Answer: D

Explanation:
This is the digital-forensics technique that the analyst is using by running the cat file01.bin | hexdump -c command. This command displays the contents of the
binary file in hexadecimal and ASCII format, which can help identify the file type based on its header or signature. In this case, the output snippet shows that the
file type is JPEG, as indicated by the ff d8 ff e0 bytes at the beginning and the JFIF string in ASCII.

NEW QUESTION 3
The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of
the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

A. NAC
B. IPS
C. CASB
D. WAF

Answer: C

Explanation:
A cloud access security broker (CASB) is a security solution that monitors and controls the use of cloud-based services and applications. A CASB can provide data
loss prevention (DLP) capabilities for sensitive data that is being stored in the cloud, such as encryption, masking, tokenization, or redaction. A CASB can also
enforce policies and compliance requirements for cloud usage, such as authentication, authorization, auditing, and reporting. The other options are not appropriate
solutions for controlling sensitive data in the cloud. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14;
https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

NEW QUESTION 4
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following
attack vectors is the vulnerability MOST likely targeting?

A. SCADA
B. CAN bus
C. Modbus
D. IoT

Answer: B

Explanation:
The Controller Area Network - CAN bus is a message-based protocol designed to allow the Electronic Control Units (ECUs) found in today’s automobiles, as well
as other devices, to communicate with each other in a reliable, priority-driven fashion. Messages or “frames” are received by all devices in the network, which
does not require a host computer.
CAN bus stands for Controller Area Network bus, which is a communication protocol that allows different devices and components in a vehicle to communicate
and exchange data. The vulnerability within the new fleet of vehicles is most likely targeting the CAN bus, because it could allow an attacker to manipulate or
disrupt the operation of the vehicle. SCADA, Modbus, and IoT are other terms related to communication protocols or systems, but they are not specific to vehicles.
Reference: https://www.csoonline.com/article/3218104/what-is-a-can-bus-and-how-can-it-be-hacked.html

NEW QUESTION 5
As part of an Intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several detrains and reputational
information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

appropriate for Mergence gathering?

A. Update the whitelist.

B. Develop a malware signature.
C. Sinkhole the domains
D. Update the Blacklist

Answer: D

Explanation:
A blacklist is a list of domains, IP addresses, email addresses, or other identifiers that are known or suspected to be malicious or harmful. A blacklist can be used
to block or filter unwanted or dangerous traffic from reaching a network or system2
Updating the blacklist can help prevent phishing campaigns by adding the
domains or email addresses of the phishing sources to the list and preventing them from sending emails to the company’s employees.

NEW QUESTION 6
The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic
issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the incident register for the
organization:

Which of the following should the organization consider investing in first due to the potential impact of availability?

A. Hire a managed service provider to help with vulnerability management.

B. Build a warm site in case of system outages.
C. Invest in a failover and redundant system, as necessary.
D. Hire additional staff for the IT department to assist with vulnerability management and log review.

Answer: C

Explanation:
Investing in a failover and redundant system, as necessary, is the best solution to improve the availability of the organization’s systems based on past incidents. A
failover system is a backup system that automatically takes over the operation of a primary system in case of a failure or outage. A redundant system is a duplicate
system that runs simultaneously with the primary system and provides backup functionality if needed. Investing in a failover and redundant system can help to
ensure that the organization’s systems are always available and can handle the workload without interruption or degradation .

NEW QUESTION 7
A security analyst reviews SIEM logs and discovers the following error event:

Which of the following environments does the analyst need to examine to continue troubleshooting the event?

A. Proxy server
B. SQL server
C. Windows domain controller
D. WAF appliance
E. DNS server

Answer: C

Explanation:
A Windows domain controller is a server that manages authentication and authorization for users and computers in a Windows domain. A Windows domain
controller uses Active Directory Domain Services (AD DS) to store information about users, groups, computers, policies, and other objects in a domain. A Windows

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

domain controller can generate event logs that record various activities and events related to security, system, application, etc. The event log shown in the
question indicates that it was generated by a Windows domain controller with an IP address of 10.0.0.1 and a hostname of DC01.

NEW QUESTION 8
Which of the following is the most effective approach to minimize the occurrence of vulnerabilities introduced by unintentional misconfigurations in the cloud?

A. Requiring security training certification before granting access to staff

B. Migrating all resources to a private cloud deployment
C. Restricting changes to the deployment of validated laC templates
D. Reducing laaS deployments by fostering serverless architectures

Answer: C

Explanation:
IaC stands for infrastructure as code, which is a practice of using code or configuration files to automate the provisioning and management of cloud resources. IaC
templates can help ensure consistency, repeatability, and scalability of cloud deployments, as well as reduce human errors and misconfigurations. However, IaC
templates need to be validated and tested before deployment, and any changes to the templates should be controlled and monitored. This can help minimize the
occurrence of vulnerabilities introduced by unintentional misconfigurations in the cloud

NEW QUESTION 9
A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned
with ensuring all devices are patched and running some sort of protection against malicious software. Which of the following existing technical controls should a
security analyst recommend to best meet all the requirements?

A. EDR
B. Port security
C. NAC
D. Segmentation

Answer: A

Explanation:
EDR stands for endpoint detection and response, which is a type of security solution that monitors and protects all devices that are connected to a network, such
as laptops and mobile phones. EDR can help to ensure that all devices are patched and running some sort of protection against malicious software by providing
continuous visibility, threat detection, incident response, and remediation capabilities. EDR can also help to enforce security policies and compliance requirements
across all devices .

NEW QUESTION 10
A company's threat team has been reviewing recent security incidents and looking for a common theme. The team discovered the incidents were caused by
incorrect configurations on the impacted systems. The issues were reported to support teams, but no action was taken. Which of the following is the next step the
company should take to ensure any future issues are remediated?

A. Require support teams to develop a corrective control that ensures security failures are addressed once they are identified.
B. Require support teams to develop a preventive control that ensures new systems are built with the required security configurations.
C. Require support teams to develop a detective control that ensures they continuously assess systems for configuration errors.
D. Require support teams to develop a managerial control that ensures systems have a documented configuration baseline.

Answer: A

Explanation:
Requiring support teams to develop a corrective control that ensures security failures are addressed once they are identified is the best step to prevent future
issues from being remediated. Corrective controls are actions or mechanisms that are implemented after a security incident or failure has occurred to fix or restore
the normal state of the system or network. Corrective controls can include patching, updating, repairing, restoring, or reconfiguring systems or components that
were affected by the incident or failure .

NEW QUESTION 10
A manufacturing company has joined the information sharing and analysis center for its sector. As a benefit, the company will receive structured loC data
contributed by other members. Which of the following best describes the utility of this data?

A. Other members will have visibility into Instances o' positive loC identification within me manufacturing company's corporate network.
B. The manufacturing company will have access to relevant malware samples from all other manufacturing sector members.
C. Other members will automatically adjust their security postures lo defend the manufacturing company's processes.
D. The manufacturing company can automatically generate security configurations for all of Its Infrastructure.

Answer: B

Explanation:
This best describes the utility of the structured loC data contributed by other members of the information sharing and analysis center (ISAC) for its sector. loC
stands for indicator of compromise, which is a piece of information that suggests a potential intrusion or attack, such as an IP address, a file hash, a domain name,
or a malware signature. By sharing loC data, the ISAC members can benefit from each other’s threat intelligence and improve their security defenses.

NEW QUESTION 15
An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue
firewall. Which following actions would help during the forensic analysis of the mobile device? (Select TWO).

A. Resetting the phone to factory settings

B. Rebooting the phone and installing the latest security updates
C. Documenting the respective chain of custody

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

D. Uninstalling any potentially unwanted programs

E. Performing a memory dump of the mobile device for analysis
F. Unlocking the device by blowing the eFuse

Answer: CE

Explanation:
Documenting the respective chain of custody and performing a memory dump of the mobile device for analysis would help during the forensic analysis of the
mobile device. The chain of custody is a record of who handled the evidence, when, where, how, and why. The chain of custody helps to preserve the integrity and
admissibility of the evidence by preventing tampering, alteration, or loss1. A memory dump is a process of capturing and storing the contents of the device’s
memory (RAM) for analysis. A memory dump can help to recover volatile data that may be lost when the device is powered off or rebooted, such as running
processes, network connections, encryption keys, or malware traces2.

NEW QUESTION 20
A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is
having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

A. Implement UEM on an systems and deploy security software.

B. Implement DLP on all workstations and block company data from being sent outside the company
C. Implement a CASB and prevent certain types of data from being downloaded to a workstation
D. Implement centralized monitoring and logging for an company systems.

Answer: C

Explanation:
A CASB, or Cloud Access Security Broker, is a software tool or service that acts as an intermediary between an organization’s cloud services and its users. A
CASB can provide various security functions, such as visibility, compliance, threat protection, and data security2
A CASB can help protect the company’s data stored in the cloud by preventing certain types of data from being downloaded to a workstation, such as sensitive or
confidential information. This can reduce the risk of data leakage, theft, or loss if a workstation is compromised or stolen.

NEW QUESTION 25
A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment Which of the
following is the BEST recommendation?

A. Require users to sign NDAs

B. Create a data minimization plan.
C. Add access control requirements
D. Implement a data loss prevention solution

Answer: B

Explanation:
Creating a data minimization plan would be the most cost-effective solution to the current data privacy and protection gap found in the last security assessment.
Data minimization is a principle that states that organizations should collect, store, process, and retain only the minimum amount of personal data that is necessary
for their legitimate purposes. Data minimization can help reduce the risk of data breaches, data leaks, or data misuse by limiting the exposure and access to
sensitive data. Data minimization can also help comply with data protection regulations, such as the General Data Protection Regulation (GDPR), that require
organizations to justify their data collection and processing activities. Data minimization can be achieved by implementing various measures, such as deleting or
anonymizing unnecessary data, applying retention policies, or using encryption or pseudonymization techniques.

NEW QUESTION 28
During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the
strings, the analyst finds unexpected content. Which of the following is the next step the analyst should take?

A. Validate the binaries' hashes from a trusted source.

B. Use file integrity monitoring to validate the digital signature
C. Run an antivirus against the binaries to check for malware.
D. Only allow binaries on the approve list to execute.

Answer: A

Explanation:
Validating the binaries’ hashes from a trusted source is the next step the analyst should take after discovering some binaries that are exhibiting abnormal
behaviors and finding unexpected content in their strings. A hash is a fixed-length value that uniquely represents the contents of a file or message. By comparing
the hashes of the binaries on the compromised machine with the hashes of the original or legitimate binaries from a trusted source, such as the software vendor or
repository, the analyst can determine whether the binaries have been modified or replaced by malicious code. If the hashes do not match, it indicates that the
binaries have been tampered with and may contain malware.

NEW QUESTION 33
During the onboarding process for a new vendor, a security analyst obtains a copy of the vendor's latest penetration test summary:

Performed by: Vendor Red Team Last performed: 14 days ago

Which of the following recommendations should the analyst make first?

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

A. Perform a more recent penetration test.

B. Continue vendor onboarding.
C. Disclose details regarding the findings.
D. Have a neutral third party perform a penetration test.

Answer: C

Explanation:
The analyst should disclose details regarding the findings of the vendor’s latest penetration test summary as the first recommendation, as this can help assess the
vendor’s security posture and identify any potential risks or issues that may affect the organization. The analyst should review the findings and ask for more
information about the scope, methodology, and remediation actions of the penetration test, as well as any evidence or artifacts that support the findings.

NEW QUESTION 37
An internally developed file-monitoring system identified the following except as causing a program to crash often:

Which of the following should a security analyst recommend to fix the issue?

A. Open the access.log file ri read/write mode.

B. Replace the strcpv function.
C. Perform input samtizaton
D. Increase the size of the file data buffer

Answer: B

Explanation:
The security analyst should recommend replacing the strcpy function with a safer alternative. The strcpy function is a C library function that copies a string from
one buffer to another. However, this function does not check the size of the destination buffer, which can lead to buffer overflow vulnerabilities if the source string is
longer than the destination buffer. Buffer overflow vulnerabilities can allow attackers to execute arbitrary code or crash the program. A safer alternative to strcpy is
strncpy, which limits the number of characters copied to the size of the destination buffer.

NEW QUESTION 42
When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:

Which of the following can the analyst conclude from viewing the log file?

A. The comptia user knows the sudo password.

B. The comptia user executed the sudo su command.
C. The comptia user knows the root password.
D. The comptia user added himself or herself to the /etc/sudoers file.

Answer: B

Explanation:
The /var/log/secure log file is a file that records security-related events on a Linux system, such as authentication attempts or sudo commands. The log file shows
that the comptia user executed the sudo su command, which allows the user to switch to the root account and gain superuser privileges. The log file does not
show that the comptia user knows the sudo password, knows the root password, or added himself or herself to the /etc/sudoers file. Reference:
https://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/

NEW QUESTION 47
An analyst is working on a method to allow secure access to a highly sensi-tive server. The solution must allow named individuals remote access to data contained
on the box and must limit access to a single IP address. Which of the following solutions would best meet these requirements?

A. Jump box
B. Software-defined networking
C. VLAN
D. ACL

Answer: A

Explanation:
A jump box is a secure computer that can be used to access a remote server or network. It acts as an intermediary between the user and the target system, and
can limit access to specific IP addresses. A jump box can also provide logging and auditing of the user’s actions on the remote system. A jump box is a common
solution for accessing highly sensitive servers or networks1.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 49
A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review
guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?

A. Internal management review

B. Control assessment
C. Tabletop exercise
D. Peer review

Answer: C

Explanation:
According to the CompTIA CySA+ Certification Exam (CS0-002) study guide, a tabletop exercise can be executed by internal managers to simulate and validate
changes to the risk management plan, incident response plan, and system security plan. In a tabletop exercise, participants discuss and work through a simulated
scenario, usually in a classroom or conference room setting, to evaluate their readiness and understanding of the proposed changes. This type of exercise can
help to identify any potential issues or gaps in the proposed changes and can provide valuable insights for refining and improving the plans.

NEW QUESTION 53
A company’s Chief Information Security Officer (CISO) published an Internet usage policy that prohibits employees from accessing unauthorized websites. The IT
department whitelisted websites used for business needs. The CISO wants the security analyst to recommend a solution that would improve security and support
employee morale. Which of the following security recommendations would allow employees to browse
non-business-related websites?

A. Implement a virtual machine alternative.

B. Develop a new secured browser.
C. Configure a personal business VLAN.
D. Install kiosks throughout the building.

Answer: A

Explanation:
A virtual machine alternative is a solution that allows employees to access non-business-related websites on a separate virtual machine that is isolated from the
company’s network and data. This way, the employees can browse the internet without compromising the security or performance of the company’s systems3

NEW QUESTION 58
After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of
the following techniques is the analyst using?

A. Header analysis
B. File carving
C. Metadata analysis
D. Data recovery

Answer: B

Explanation:
File carving is a technique that involves scanning the raw data bytes of a hard disk and rebuilding files by using information found in file headers and footers. File
carving can help recover files that have been deleted or corrupted or that are not recognized by the file system. File carving does not rely on metadata or directory
structures to locate files, but rather on file signatures or patterns that indicate the start and end of files. File carving can be performed manually or automatically
using tools or software that support various file formats. Header analysis (A) is a technique that involves examining file headers to determine file types or formats.
Header analysis can help identify files that have been renamed or disguised or that have unknown extensions. Header analysis does not involve reconstructing
files by scanning raw data bytes. Metadata analysis © is a technique that involves examining metadata to extract information about files or file systems. Metadata
analysis can help determine file attributes such as name, size, date, location, owner, etc. Metadata analysis does not involve reconstructing files by scanning raw
data bytes

NEW QUESTION 62
An application developer needs help establishing a digital certificate for a new application. Which of the following illustrates a certificate management best
practice?

A. Ensure the certificate Is applied to the certificate revocation list.

B. Ensure the certificate key algorithm is SHA-1 compliant.
C. Ensure the certificate is requested from a trusted CA.
D. Ensure the developer has self-signed the certificate.
E. Ensure the certificate key is less than 1028 bits long.

Answer: C

Explanation:
The best practice for establishing a digital certificate for a new application is to ensure the certificate is requested from a trusted CA. A CA stands for Certificate
Authority, and it is an entity that issues and verifies digital certificates, which are electronic documents that contain a public key and a digital signature that prove
the identity and authenticity of an application, a website, or a person. Requesting a certificate from a trusted CA can help ensure that the certificate is valid, secure,
and recognized by other parties.

NEW QUESTION 65
Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

A. TLS_RSA_WITH_DES_CBC_SHA 56
B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)
C. TLS_RSA_WITH_AES_256_CBC_SHA 256
D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

Answer: B

Explanation:
The line from this output that most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key is
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits). This line indicates that the cipher suite uses Diffie-Hellman ephemeral (DHE) key exchange with
RSA authentication, AES 128-bit encryption with cipher block chaining (CBC) mode, and SHA-1 hashing. The DHE key exchange uses a 1024-bit Diffie-Hellman
group, which is considered too weak for modern security standards and can be broken by attackers using sufficient computing power. The other lines indicate
stronger cipher suites that use longer key lengths or more secure algorithms. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives
(CS0-002), page 9;
https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

NEW QUESTION 69
An organization wants to implement controls for protecting private information at rest. Which of the following would meet the organization's need?

A. Non-disclosure agreements
B. Retention policies
C. Data minimization
D. Encryption

Answer: D

Explanation:
The correct answer is D. Encryption. Encryption is a technical control that transforms data into an unreadable format using a secret key or algorithm. Encryption
can protect data at rest by preventing unauthorized access, modification, or exfiltration of the data. Encryption can also protect data in transit and in use,
depending on the type and level of encryption applied1.

NEW QUESTION 71
A computer hardware manufacturer developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from
a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?

A. Encryption
B. eFuse
C. Secure Enclave
D. Trusted execution

Answer: B

Explanation:
An eFuse, or electronic fuse, is a microscopic fuse put into a computer chip that can be blown by applying a high voltage or current. Once blown, an eFuse cannot
be reset or repaired, and its state can be read by software or hardware2
An eFuse can be used by a hardware manufacturer to prevent firmware downgrades on a
system-on-chip (SoC) that will be used by mobile devices. An eFuse can store information such as the firmware version, security level, or device configuration on
the chip. When a newer firmware is installed, an eFuse can be blown to indicate the update and prevent reverting to an older firmware. This can help protect the

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

device from security vulnerabilities, compatibility issues, or unauthorized modifications.

NEW QUESTION 75
A new prototype for a company's flagship product was leaked on the internet As a result, the management team has locked out all USB drives Optical drive writers
are not present on company computers The sales team has been granted an exception to share sales presentation files with third parties Which of the following
would allow the IT team to determine which devices are USB enabled?

A. Asset tagging
B. Device encryption
C. Data loss prevention
D. SIEMIogs

Answer: D

Explanation:
A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on
security incidents and events. A SIEM system can help the IT team to determine which devices are USB enabled by querying the log data for events related to
USB device insertion, removal, or usage. The other options are not relevant or effective for this purpose. References: CompTIA Cybersecurity Analyst (CySA+)
Certification Exam Objectives (CS0-002), page 15;
https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-management-siem-impleme

NEW QUESTION 78
A new government regulation requires that organizations only retain the minimum amount of data on a person to perform the organization's necessary activities.
Which of the following techniques would help an organization comply with this new regulation?

A. Storing the highest-risk data in a separate and secured environment

B. Limiting access to data on a need-to-know basis
C. Deidentlfying a data subject throughout the organization's applications
D. Having a privacy expert peer review source code before deployment

Answer: C

Explanation:
Deidentifying a data subject means removing or obscuring any data that can be used to identify, locate, or contact an individual, such as names, addresses, phone
numbers, email addresses, social security numbers, etc. Deidentifying a data subject throughout the organization’s applications can help comply with the new
regulation that requires only retaining the minimum amount of data on a person to perform the organization’s necessary activities.

NEW QUESTION 80
Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private
disclosures of an incident?

A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.
B. The disclosure section should contain the organization's legal and regulatory requirements regardingdisclosures.
C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution
D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening m the future.

Answer: B

Explanation:
The disclosure section of an organization’s incident response plan should cover how the organization handles public or private disclosures of an incident. The
disclosure section should contain the organization’s legal and regulatory requirements regarding disclosures, such as the type, content, format, timing, and
recipients of the disclosures. The disclosure section should also specify the roles and responsibilities of the personnel involved in the disclosure process, such as
who is authorized to make or approve disclosures, who is responsible for communicating with internal and external stakeholders, and who is accountable for
ensuring compliance with the disclosure requirements. The disclosure section should not focus on how to reduce the likelihood customers will leave due to the
incident (A), as this is a business objective rather than a disclosure requirement. The disclosure section should not include the names and contact information of
key employees who are needed for incident resolution ©, as this is an operational detail rather than a disclosure requirement. The disclosure section should not
contain language explaining how the organization will reduce the likelihood of the incident from happening in the future (D), as this is a remediation action rather
than a disclosure requirement.

NEW QUESTION 85
A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several
hours. The administrator runs the task list
/ v command and receives the following output:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Which of the following should a security analyst recognize as an indicator of compromise?

A. dwm.exe being executed under the user context

B. The high usage of vscod
C. exe * 32
D. The abnormal behavior of paint.exe
E. svchost.exe being executed as SYSTEM

Answer: B

Explanation:
The tasklist command is used to display a list of all running processes on a system. In this output, the security analyst should recognize the high memory usage
(1302103K) of vscode.exe * 32, which is an indication that this process is consuming a large amount of system resources. This could be a sign that the system has
been compromised, as malware often uses system resources to perform malicious activities.

NEW QUESTION 90
An organizational policy requires one person to input accounts payable and another to do accounts receivable. A separate control requires one person to write a
check and another person to sign all checks greater than $5,000 and to get an additional signature for checks greater than $10,000. Which of the following controls
has the organization implemented?

A. Segregation of duties
B. Job rotation
C. Non-repudiaton
D. Dual control

Answer: A

Explanation:
Segregation of duties is a security control that requires multiple people to be involved with completing a task. This helps prevent fraud, as it ensures that no one
individual has the ability to commit fraud or make mistakes without other people being aware of it

NEW QUESTION 94
The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

A. Payload lengths may be used to overflow buffers enabling code execution.

B. Encapsulated traffic may evade security monitoring and defenses
C. This traffic exhibits a reconnaissance technique to create network footprints.
D. The content of the traffic payload may permit VLAN hopping.

Answer: B

Explanation:
Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique
that wraps data packets with additional headers or protocols to enable communication across different network types or layers. Encapsulation can be used for
legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able
to inspect or analyze the encapsulated traffic .

NEW QUESTION 98
During a routine review of service restarts a security analyst observes the following in a server log:

Which of the following is the GREATEST security concern?

A. The daemon's binary was AChanged

B. Four consecutive days of monitoring are skipped in the tog
C. The process identifiers for the running service change
D. The PIDs are continuously changing

Answer: A

Explanation:
A daemon is a program that runs in the background on a system and performs certain tasks or services without user intervention. A daemon’s binary is the

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

executable file that contains the code and instructions for the daemon to run. The server log shows that the daemon’s binary was changed on Aug 1 2020 at
00:00:01 by an unknown user with UID 0 (root). This is the greatest security concern, because it could indicate that an attacker has gained root access to the
system and modified the daemon’s binary with malicious code that could compromise the system’s security or functionality. Four consecutive days of monitoring
being skipped in the log, the process identifiers for the running service changing, or the PIDs continuously changing are not security concerns, but rather normal
events that could occur due to system maintenance, updates, restarts, or scheduling. Reference: https://www.linux.com/training-tutorials/what-are-linux-daemons/

NEW QUESTION 102

A security analyst works for a biotechnology lab that is planning to release details about a new cancer treatment. The analyst has been instructed to tune the SIEM
softvare and IPS in preparation for the
announcement. For which of the following concerns will the analyst most likely be monitoring?

A. Intellectual property loss

B. PII loss
C. Financial information loss
D. PHI loss

Answer: A

Explanation:
SIEM software is a tool that provides a single centralized platform for the collection, monitoring, and management of security-related events and log data from
across the enterprise1. SIEM software can help security analysts detect, investigate, and respond to threats, as well as comply with regulations and standards.
IPS stands for Intrusion Prevention System. It is a device or software that monitors network traffic and blocks or modifies malicious packets before they reach their
destination2. IPS can help security analysts prevent attacks, protect sensitive data, and reduce network downtime.
A security analyst working for a biotechnology lab that is planning to release details about a new cancer treatment would most likely be monitoring for A.
Intellectual property loss. Intellectual property (IP) refers t the creations of the mind, such as inventions, designs, artistic works, or trade secrets3. IP loss occurs
when someone steals, leaks, or misuses the IP of an organization without authorization.
The biotechnology lab’s new cancer treatment is an example of IP that has high value and potential impact on the market and society. Therefore, the security
analyst would want to protect it from competitors, hackers, or other malicious actors who might try to access it illegally or sabotage it. The security analyst would
use SIEM software and IPS to monitor for any signs of unauthorized access, data exfiltration, or tampering with the lab’s network or systems.

NEW QUESTION 104

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests
information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst
to provide to the security manager, who would then communicate the risk factors to the senior management team? (Select TWO).

A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of compromise

Answer: BD

Explanation:
According to the CompTIA CySA+ (CS0-002) best practices, the most useful information data points to provide to the security manager for communicating the risk
factors to senior management are the impact and adversary capability. The impact refers to the potential consequences of a successful attack or exploitation of a
vulnerability, such as data loss or system compromise. The adversary capability refers to the ability of an attacker to exploit a vulnerability, including their technical
expertise and resources. Together, these data points help to provide a complete picture of the risk associated with a vulnerability, and allow senior management to
make informed decisions regarding risk mitigation and remediation. The other data points, such as probability, attack vector, classification, and indicators of
compromise, can also be valuable, but the impact and adversary capability are considered the most critical for prioritizing risk mitigation efforts.

NEW QUESTION 105

Which of the following describes the difference between intentional and unintentional insider threats'?

A. Their access levels will be different

B. The risk factor will be the same
C. Their behavior will be different
D. The rate of occurrence will be the same

Answer: C

Explanation:
The difference between intentional and unintentional insider threats is their behavior. Intentional insider threats are malicious actors who deliberately misuse their
access to harm the organization or its assets. Unintentional insider threats are careless or negligent users who accidentally compromise the security of the
organization or its assets. Their access levels, risk factors, and rates of occurrence may vary depending on various factors, but their behavior is the main
distinction. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 12;
https://www.cisa.gov/sites/default/files/publications/Insider_Threat_Mitigation_Guide_508.pdf

NEW QUESTION 106

A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which
of the following would be BEST for the analyst to configure to achieve this objective?

A. A TXT record on the name server for SPF

B. DNSSEC keys to secure replication
C. Domain Keys identified Man
D. A sandbox to check incoming mad

Answer: C

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Explanation:
Domain Keys Identified Mail (DKIM) is an email authentication method that uses a digital signature to let the
receiver of an email know that the message was sent and authorized by the owner of a domain1
DKIM helps prevent phishing emails that spoof or impersonate other domains by verifying the identity and integrity of the sender. DKIM works by adding a DKIM
signature header to each outgoing email message, which contains a hash value of selected parts of the message and the domain name of the sender. The
sender’s domain also publishes a public key in its DNS records, which can be used by the receiver to decrypt the DKIM signature and compare it with its own
hash value of the message. If they match, it means that the message was not altered in transit and that it came from the claimed domain.

NEW QUESTION 108

A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should
the analyst do to block this activity?

A. Create an IPS rule to block the subnet.

B. Sinkhole the IP address.
C. Create a firewall rule to block the IP address.
D. Close all unnecessary open ports.

Answer: C

Explanation:
A firewall is a device or software that controls the incoming and outgoing network traffic based on predefined rules. Creating a firewall rule to block the IP address
that is scanning the organization’s environment is an effective way to stop this activity and prevent potential attacks. Creating an IPS rule to block the subnet,
sinkholing the IP address, or closing all unnecessary open ports are other possible actions, but they are not as specific or efficient as creating a firewall rule to
block the IP address. Reference: https://www.cisco.com/c/en/us/solutions/small-business/resource-center/security/firewall.html

NEW QUESTION 109

A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of
various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team
is initiating?

A. Static analysis
B. Stress testing
C. Code review
D. User acceptance testing

Answer: D

Explanation:
User acceptance testing is a process of verifying that a software application meets the requirements and expectations of the end users before it is released to
production. User acceptance testing can help to validate the functionality, usability, performance and compatibility of the software application with real-world
scenarios and feedback . User acceptance testing can involve various teams, such as developers, testers, customers and stakeholders.

NEW QUESTION 111

An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team
wants to find out if any of these files were downloaded by pubic users accessing the server. The results should be written to a text file and should induce the date.
time, and IP address associated with any spreadsheet downloads. The web server's log file Is named webserver log, and the report We name should be
accessreport.txt. Following is a sample of the web servefs.log file:
2017-0-12 21:01:12 GET /index.htlm - @4..102.33.7 - return=200 1622
Which of the following commands should be run if an analyst only wants to include entries in which spreadsheet was successfully downloaded?

A. more webserver.log | grep * xIs > accessreport.txt

B. more webserver.log > grep ''xIs > egrep -E 'success' > accessreport.txt
C. more webserver.log | grep ' -E ''return=200 | accessreport.txt
D. more webserver.log | grep -A *.xIs < accessreport.txt

Answer: C

Explanation:
The grep command is a tool that searches for a pattern of characters in a file or input and prints the matching lines1
The egrep command is a variant of grep that supports extended regular expressions, which allow more
complex and flexible pattern matching2
The more command is a filter that displays the contents of a file or
input one screen at a time3
The pipe symbol (|) is used to redirect the output of one command to the input of
another command. The redirection symbol (>) is used to redirect the output of a command to a file.
The command given in option C performs the following steps:
It uses the more command to display the contents of the webserver.log file.
It pipes the output of the more command to the grep command, which searches for lines that contain ‘*.xls’, which is a pattern that matches any file name
ending with .xls (a spreadsheet file extension).
It pipes the output of the grep command to the egrep command, which searches for lines that contain ‘return=200’, which is a pattern that matches any HTTP
status code of 200 (which indicates a successful request).
It redirects the output of the egrep command to a file named accessreport.txt, which contains the date, time, and IP address associated with any spreadsheet
downloads.

NEW QUESTION 116

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the
following:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Which of the following describes what has occurred?

A. The host attempted to download an application from utoftor.com.

B. The host downloaded an application from utoftor.com.
C. The host attempted to make a secure connection to utoftor.com.
D. The host rejected the connection from utoftor.com.

Answer: C

Explanation:
The packet capture shows that the host sent a Client Hello message to utoftor.com on port 443. This message is part of the TLS (Transport Layer Security)
handshake protocol, which is used to establish a secure connection between a client and a server1. The Client Hello message contains information such as the
supported TLS version, cipher suites, and extensions that the client can use for the secure connection. The server is expected to respond with a Server Hello
message that selects the parameters for the secure connection. However, the packet capture does not show any response from the server, which means that the
host only attempted to make a secure connection to utoftor.com, but did not succeed. The host did not download (B) or reject (D) any application from utoftor.com.

NEW QUESTION 119

Which of the following solutions is the BEST method to prevent unauthorized use of an API?

A. HTTPS
B. Geofencing
C. Rate liming
D. Authentication

Answer: D

Explanation:
Authentication is a method of verifying a user’s identity by requiring some piece of evidence, such as something the user knows (e.g., password), something the
user has (e.g., token), or something the user is (e.g., fingerprint). Authentication is the best method to prevent unauthorized use of an API, because it ensures that
only legitimate users can access or use the API functions or data. HTTPS, geofencing, or rate limiting are other methods that can enhance the security or
performance of an API, but they do not prevent unauthorized use of an API. Reference: https://www.redhat.com/en/topics/api/what-is-api-security

NEW QUESTION 121

A cybersecurity analyst is supporting an Incident response effort via threat Intelligence Which of the following is the analyst most likely executing?

A. Requirements analysis and collection planning

B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting

Answer: D

Explanation:
Indicator enrichment and research pivoting are steps in the threat intelligence process that involve gathering additional information and context about the indicators
of compromise (IoCs) that are related to an incident, and using them to identify other potential sources of threat data or evidence. For example, an analyst can
enrich an IoC such as an IP address by looking up its geolocation, reputation, or associated domains, and then pivot to other sources of threat intelligence that
may have more information about the IP address or its activities.

NEW QUESTION 122

An organization completed an internal assessment of its policies and procedures. The audit team identified a deficiency in the policies and procedures for PH.
Which of the following should be the first step to secure the organization's Pll?

A. Complete Pll training within the organization.

B. Contact all Pll data owners within the organization.
C. Identify what type of Pll is on the network.
D. Formalize current Pll documentation.

Answer: C

Explanation:
Pll stands for Personally Identifiable Information, and it is any data that can be used to identify, locate, or contact an individual. Examples of Pll include names,

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

addresses, phone numbers, email addresses, social security numbers, bank account numbers, etc. The first step to secure the organization’s Pll is to identify what
type of Pll is on the network, where it is stored, who has access to it, and how it is transmitted. This can help determine the scope and impact of the deficiency in
the policies and procedures for Pll.

NEW QUESTION 123

A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

A. The whitelist
B. The DNS
C. The blocklist
D. The IDS signature

Answer: D

Explanation:
The IDS signature should be updated next after receiving a new IoC (Indicator of Compromise) from an ISAC (Information Sharing and Analysis Center) that
follows a threat actor’s profile and activities. An IoC is a piece of evidence or artifact that suggests a system or network has been compromised or attacked by a
threat actor4. An IoC can be an IP address, domain name, URL, file hash, email address, registry key, etc. An ISAC is a nonprofit organization that collects,
analyzes, and shares threat intelligence and best practices among its members within a specific sector or industry5. An ISAC can help to improve the security
awareness and preparedness of its members by providing timely and relevant information about emerging threats and incidents.

NEW QUESTION 127

A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from
its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party
service provider meets this requirement?

A. Implement a secure supply chain program with governance.

B. Implement blacklisting lor IP addresses from outside the county.
C. Implement strong authentication controls for at contractors.
D. Implement user behavior analytics tor key staff members.

Answer: A

Explanation:
A secure supply chain program is a set of processes and practices that aim to protect the supply chain from various risks, such as cyberattacks, data breaches,
fraud, theft, sabotage, or natural disasters1. A secure supply chain program can help to ensure the integrity, availability, and confidentiality of the products,
services, data, and systems involved in the supply chain. A secure supply chain program with governance means that there are clear roles, responsibilities,
policies, procedures, and controls for managing the security of the supply chain. This can help to monitor and enforce the compliance of the third-party service
provider with the requirement to source talent from its own country. A secure supply chain program with governance can also help to identify and mitigate any
potential threats or vulnerabilities in the supply chain. Implementing blacklisting for IP addresses from outside the country (B) may not be sufficient or effective, as
IP addresses can be spoofed or bypassed by attackers. Implementing strong authentication controls for all contractors © may not be relevant or adequate, as
authentication controls do not prevent the sourcing of talent from other countries. Implementing user behavior analytics for key staff members (D) may not be
applicable or useful, as user behavior analytics do not verify the origin or location of the talent.

NEW QUESTION 130

An incident response plan requires systems that contain critical data to be triaged first in the event of a compromise. Which of the following types of data would
most likely be classified as critical?

A. Encrypted data
B. data
C. Masked data
D. Marketing data

Answer: B

Explanation:
PII stands for personally identifiable information, and it is any data that can be used to identify, contact, or locate a specific individual, such as name, address,
phone number, email, social security number, or biometric data. PII data is considered critical because it can be used by attackers to commit identity theft, fraud, or
other crimes. PII data is also subject to various laws and regulations that require organizations to protect it from unauthorized access, use, or disclosure1.

NEW QUESTION 133

A Chief Information Security Officer has requested a security measure be put in place to redirect certain traffic on the network. Which of the following would best
resolve this issue?

A. Sinkholing
B. Blocklisting
C. Geoblocking
D. Sandboxing

Answer: A

Explanation:
Sinkholing is a technique for manipulating data flow in a network; you redirect traffic from its intended destination to a server of your choosing. It can be used
maliciously, to steer legitimate traffic away from its intended recipient, but security professionals more commonly use sinkholing as a tool for research and reacting
to attacks1.
For example, sinkholing can be used to redirect traffic from a botnet or a malware-infected host to a server under the control of the defender, where the traffic can
be analyzed, blocked, or neutralized. This can help identify and isolate compromised devices, prevent command-and-control communication, and disrupt malicious
activities2.
The other options are not the best solutions for the following reasons:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Blocklisting is a technique for preventing access to or communication with certain IP addresses, domains, or applications that are known or suspected to be
malicious. Blocklisting can be implemented using firewalls, routers, proxies, or software tools. Blocklisting can protect a network from unwanted or harmful traffic,
but it does not redirect the traffic to a different destination.
Geoblocking is a technique for restricting access to or communication with certain IP addresses, domains, or applications based on their geographic location.
Geoblocking can be implemented using firewalls, routers, proxies, or software tools. Geoblocking can protect a network from unauthorized or
undesirable traffic from specific regions or countries, but it does not redirect the traffic to a different destination.
Sandboxing is a technique for isolating and executing potentially malicious code or applications in a separate and secure environment. Sandboxing can be
implemented using virtual machines, containers, or software tools. Sandboxing can protect a network from malware infection or damage, but it does not redirect
the network traffic to a different destination.

NEW QUESTION 134

A customer notifies a security analyst that a web application is vulnerable to information disclosure The analyst needs to indicate the seventy of the vulnerability
based on its CVSS score, which the analyst needs to calculate When analyzing the vulnerability the analyst realizes that tor the attack to be successful, the
Tomcat configuration file must be modified Which of the following values should the security analyst choose when evaluating the CVSS score?

A. Network
B. Physical
C. Adjacent
D. Local

Answer: C

Explanation:
The Common Vulnerability Scoring System (CVSS) is a standard for measuring the severity of vulnerabilities in software systems. One of the factors that affects
the CVSS score is the attack vector, which describes how the vulnerability can be exploited. The possible values for the attack vector are network, adjacent
network, local, or physical. In this case, the analyst should choose local as the value for the attack vector, because the Tomcat configuration file must be modified
for the attack to be successful, which implies that the attacker needs local access to the system. Network, adjacent network, or physical are not appropriate values
for the attack vector in this scenario. Reference:
https://www.first.org/cvss/v3.1/specification-document#Vector-String

NEW QUESTION 138

An organization is required to be able to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams. The organization
would also like to be able to leverage the intelligence to enrich security event data. Which of the following functions would most likely help the security analyst meet
the organization's requirements?

A. Vulnerability management
B. Risk management
C. Detection and monitoring
D. Incident response

Answer: C

Explanation:
The correct answer is C. Detection and monitoring. Detection and monitoring is a function that involves collecting, analyzing, and correlating data from various
sources, such as threat feeds, logs, alerts, or events, to identify and respond to potential or ongoing threats. Detection and monitoring can help the organization to
consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams, such as security operations center (SOC) analysts, incident
responders, or threat hunters. Detection and monitoring can also help the organization to leverage the intelligence to enrich security event data, such as adding
context, severity, or priority to the events1.
* A. Vulnerability management is not correct. Vulnerability management is a function that involves identifying, assessing, and mitigating the weaknesses or flaws in
systems, applications, or networks that could be exploited by attackers. Vulnerability management can help the organization to reduce its attack surface and
prevent potential breaches, but it does not directly involve consuming multiple threat feeds simultaneously or providing actionable intelligence to various teams.
* B. Risk management is not correct. Risk management is a function that involves identifying, analyzing, and evaluating the risks that could affect the
organization’s assets, operations, or objectives. Risk management can help the organization to prioritize and implement appropriate controls or mitigation
strategies to reduce the likelihood or impact of the risks, but it does not directly involve consuming multiple threat feeds simultaneously or providing actionable
intelligence to various teams.
* D. Incident response is not correct. Incident response is a function that involves preparing for, detecting, containing, analyzing, and recovering from security
incidents that compromise the confidentiality, integrity, or availability of the organization’s assets or operations. Incident response can help the organization to
minimize the damage and restore normal operations as quickly as possible, but it does not directly involve consuming multiple threat feeds simultaneously or
providing actionable intelligence to various teams.
1: Cybersecurity Analyst+ - CompTIA

NEW QUESTION 141

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

A. APTs' passion for social justice will make them ongoing and motivated attackers.
B. APTs utilize methods and technologies differently than other threats
C. APTs are primarily focused on financial gam and are widely available over the internet.
D. APTs lack sophisticated methods, but their dedication makes them persistent.

Answer: B

Explanation:
APTs utilize methods and technologies differently than other threats. APTs stand for Advanced Persistent Threats, and they are sophisticated and stealthy attacks
that target specific organizations or networks over a long period of time, often with political or financial motives. APTs utilize methods and technologies differently
than other threats, such as using custom-made malware, exploiting zero-day vulnerabilities, leveraging social engineering techniques, or employing multiple
vectors of attack. APTs can also evade detection by existing security tools or controls, by using encryption, obfuscation, proxy servers, or other techniques to hide
their activities or communications.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 146

A security analyst is reviewing a firewall usage report that contains traffic generated over the last 30 minutes in order to locate unusual traffic patterns:

Which of the following source IP addresses does the analyst need to investigate further?

A. 10.18.76.179
B. 10.50.180.49
C. 192.168.48.147
D. 192.168.100.5

Answer: B

Explanation:
The security analyst needs to investigate further the source IP address 10.50.180.49. This IP address belongs to a private network that is not routable on the
internet. However, the firewall usage report shows that this IP address has sent traffic to an external destination on port 443 (HTTPS). This could indicate that the
IP address is spoofed or compromised by an attacker who is using it to exfiltrate data or communicate with a command-and-control server.

NEW QUESTION 148

An organization has a policy that requires dedicated user accounts to run programs that need elevated privileges. Users must be part of a group that allows
elevated permissions. While reviewing security logs, an analyst sees the following:

Which of the following hosts violates the organizational policies?

A. pacer
B. ford
C. gremlin
D. lincoln

Answer: D

Explanation:
The host “lincoln” violates the organizational policies that require dedicated user accounts to run programs that need elevated privileges. The log file shows that
the user “ldavis” tried to run programs such as “su root”, “sudo apache.bin”, and “sudo grep” on the host “lincoln”, which indicate attempts to gain elevated
privileges or access sensitive files. The other hosts do not show any evidence of policy violation.

NEW QUESTION 149

A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to
complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk
treatment in this scenario?

A. The extended support mitigates any risk associated with the software.
B. The extended support contract changes this vulnerability finding to a false positive.
C. The company is transferring the risk for the vulnerability to the software vendor.
D. The company is accepting the inherent risk of the vulnerability.

Answer: C

Explanation:
The company is transferring the risk for the vulnerability to the software vendor. Risk transfer is a risk treatment strategy that involves shifting the potential loss or
impact of a risk to a third party, such as an insurance company or a vendor. Risk transfer does not eliminate the risk, but it reduces the organization’s exposure or
liability for the risk1. In this scenario, the company is transferring the risk for the vulnerability in the out-of-support database software to the software vendor by
signing an extended support contract. The extended support contract means that the software vendor will continue to provide security patches and updates for the
software until the company can complete the software update. This reduces the likelihood and impact of a potential exploit of the vulnerability.

NEW QUESTION 150

A security analyst is reviewing malware files without running them. Which of the following analysis types is the security analyst using?

A. Dynamic
B. Sandbox
C. Static
D. Heuristic

Answer: C

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Explanation:
Static analysis is the process of reviewing malware files without running them, by using tools such as hex editors, strings, and signature scanners. Static analysis
can help extract basic information from malware files, such as file type, size, checksum, metadata, imports, exports, etc. Static analysis can also help identify
known malware samples based on their signatures or hashes.

NEW QUESTION 155

A technician working at company.com received the following email:

After looking at the above communication, which of the following should the technician recommend to the security team to prevent exposure of sensitive
information and reduce the risk of corporate data being stored on non-corporate assets?

A. Forwarding of corporate email should be disallowed by the company.

B. A VPN should be used to allow technicians to troubleshoot computer issues securely.
C. An email banner should be implemented to identify emails coming from external sources.
D. A rule should be placed on the DLP to flag employee IDs and serial numbers.

Answer: C

Explanation:
An email banner is a message that is added to the top or bottom of an email to provide some information or
warning to the recipient. An email banner should be implemented to identify emails coming from external sources to prevent exposure of sensitive information and
reduce the risk of corporate data being stored on
non-corporate assets. An email banner can help employees recognize phishing or spoofing attempts and avoid clicking on malicious links or attachments. It can
also remind employees not to share confidential information with external parties or forward corporate emails to personal accounts. The other options are not
relevant or effective for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 13;
https://www.csoonline.com/article/3235970/what-is-spoofing-definition-and-how-to-prevent-it.html

NEW QUESTION 160

An employee observes degraded system performance on a Windows workstation. While attempting to access documents, the employee notices the file icons
appear abnormal and the file extensions have been changed. The employee instantly shuts down the machine and alerts a supervisor.
Which of the following forensic evidence will be lost as a result of these actions?

A. All user actions prior to shutting down the machine

B. All information stored in the machine's local database
C. All cached items that are queued to be written to the registry
D. Volatile artifacts in the system's memory

Answer: D

Explanation:
Volatile artifacts are data that is stored in a computer’s volatile memory while it is running, such as open network connections, running processes, encryption keys,
and internet history. Volatile artifacts can provide
valuable evidence for forensic investigations, especially for detecting and analyzing malware or malicious activities that do not leave traces on the hard drive.
However, volatile artifacts are wiped off the system’s memory once the power is turned off, so they cannot be recovered later

NEW QUESTION 164

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst
should take in this situation?

A. Develop a dashboard to track the indicators of compromise.

B. Develop a query to search for the indicators of compromise.
C. Develop a new signature to alert on the indicators of compromise.
D. Develop a new signature to block the indicators of compromise.

Answer: B

Explanation:
Developing a query to search for the indicators of compromise is the first action the analyst should take in this situation. Indicators of compromise (IOCs) are
pieces of information that suggest a system or network has been compromised by an attacker. IOCs can include IP addresses, domain names, file hashes, URLs,
or other artifacts that are associated with malicious activity. Developing a query to search for IOCs can help to identify any potential incidents or threats in the
environment and initiate further investigation or response .

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 167

A security analyst is investigating a data leak on a corporate website. The attacker was able to dump data by sending a crafted HTTP request with the following
payload:

Which of the following systems would most likely have logs with details regarding the threat actor's requests?

A. Cloud WAF
B. Internal proxy
C. TAXII server
D. Hardware security module

Answer: A

Explanation:
The correct answer is A. Cloud WAF. A cloud WAF stands for a cloud-based web application firewall, and it is a service that protects web applications from
common attacks, such as SQL injection, cross-site scripting, or denial-of-service. A cloud WAF can inspect and filter HTTP requests and responses between the
web application and the internet, and block or allow them based on predefined or custom rules. A cloud WAF can also generate logs with details regarding the
threat actor’s requests, such as the source IP address, the destination URL, the payload, the rule triggered, and the action taken1.
* B. Internal proxy is not correct. An internal proxy is a server that acts as an intermediary between internal clients and external servers. An internal proxy can
provide various functions, such as caching, filtering, authentication, or encryption. An internal proxy can also generate logs with details regarding the client’s
requests, such as the source IP address, the destination URL, the protocol used, and the response received2. However, an internal proxy would not have logs with
details regarding the threat actor’s requests, as they are directed to the web application, not to the internal proxy.
* C. TAXII server is not correct. TAXII stands for Trusted Automated eXchange of Intelligence Information, and it is a standard that defines how to exchange cyber
threat intelligence (CTI) between different systems or organizations. TAXII uses a client-server model, where a TAXII client can request or send CTI to a TAXII
server using predefined services and messages. A TAXII server can store and provide CTI in a structured and standardized format3. However, a TAXII server
would not have logs with details regarding the threat actor’s requests, as they are not related to CTI exchange.
* D. Hardware security module is not correct. A hardware security module (HSM) is a physical device that provides secure storage and processing of cryptographic
keys and operations. An HSM can protect sensitive data and transactions, such as encryption, decryption, signing, or verification, from unauthorized access or
tampering. However, an HSM would not have logs with details regarding the threat actor’s requests, as they are not related to cryptographic operations.
* 1: What Is a Cloud-Based Web Application Firewall (WAF)? 2: What Is a Proxy Server? 3: What Is T
[What Is a Hardware Security Module (HSM)?]

NEW QUESTION 171

A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?

A. Perform static code analysis.

B. Require application fuzzing.
C. Enforce input validation.
D. Perform a code review.

Answer: D

Explanation:
Performing a code review is the best recommendation to ensure proper error handling at runtime for an embedded software team. A code review is a process of
examining and evaluating source code by one or more developers other than the original author. A code review can help to identify and fix any errors, bugs,
vulnerabilities, or inefficiencies in the code before it is deployed or executed. A code review can also help to ensure that the code follows the best practices,
standards, and guidelines for error handling at runtime .

NEW QUESTION 175

Which of the following can detect vulnerable third-parly libraries before code deployment?

A. Impact analysis
B. Dynamic analysis
C. Static analysis
D. Protocol analysis

Answer: C

Explanation:
Static analysis is a method of analyzing the source code or binary code of an application without executing
it. Static analysis can detect vulnerable third-party libraries before code deployment by scanning the code for references to known vulnerable libraries or versions
and reporting any issues or risks12.
Impact analysis is a process of assessing the potential effects of a change on a system or service, such as performance, availability, security and compatibility.
Impact analysis does not detect vulnerable third-party libraries before code deployment, but rather helps to evaluate and communicate the consequences of a
change.
Dynamic analysis is a method of analyzing the behavior or performance of an application by executing it under various conditions or inputs. Dynamic analysis does
not detect vulnerable third-party libraries before code deployment, but rather helps to identify any errors or defects that occur at runtime.
Protocol analysis is a method of examining the data exchanged between devices or applications over a network by capturing and interpreting the packets or
messages. Protocol analysis does not detect vulnerable third-party libraries before code deployment, but rather helps to monitor and troubleshoot network
communication.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 179

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

A. Release the email for delivery due to its importance.

B. Immediately contact a purchasing agent to expedite.
C. Delete the email and block the sender.
D. Purchase the gift cards and submit an expense report.

Answer: C

Explanation:
The email message that was quarantined and requires further review is an example of a phishing attempt that tries to trick the recipient into buying gift cards for a
fake urgent request from a senior executive. The security analyst should delete the email and block the sender to prevent further attempts from reaching other
users in the organization. Releasing the email for delivery, contacting a purchasing agent to expedite, or purchasing the gift cards and submitting an expense
report are actions that would fall for the phishing attempt and result in financial loss or reputation damage for the organization. Reference:
https://www.csoonline.com/article/3444488/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent

NEW QUESTION 184

An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to
reconstruct the steps taken by the attacker?

A. Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.
B. Extract the server's system timeline, verifying hashes and network connections during a certain time frame.
C. Clone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.
D. Clone the server's hard disk and extract all the binary files, comparing hash signatures with malware databases.

Answer: B

Explanation:
The correct answer is B. Extract the server’s system timeline, verifying hashes and network connections during a certain time frame. A system timeline is a
chronological record of the events and activities that occurred on a system, such as file creation, modification, or deletion, process execution, registry changes, or
network connections. A system timeline can help an analyst to understand how an attacker compromised a server by showing the sequence of actions and
artifacts left by the attacker. An analyst can also verify the hashes of the files and processes involved in the compromise and compare them with known malware
signatures or databases. Additionally, an analyst can check the network connections made by the server during the compromise and identify the source and
destination IP addresses, ports, and protocols used by the attacker1.

NEW QUESTION 189

An analyst reviews a legacy Windows XP system and concludes an attacker executed code that modified the contents of the system's memory. Which of the
following attack techniques did the attacker use?

A. Rootkit
B. Backdoor
C. Privilege escalation
D. Buffer overflow

Answer: D

Explanation:
A buffer overflow is an attack technique that exploits a vulnerability in a program’s memory management, by sending more data than the buffer can hold. This can
cause the program to overwrite adjacent memory locations, and execute arbitrary code injected by the attacker.

NEW QUESTION 192

An analyst is responding 10 an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in
the held. Maiware was loaded on the device via the installation of a third-party software package The analyst has baselined the device Which of the following
should the analyst do to BEST mitigate future attacks?

A. Implement MDM
B. Update the maiware catalog
C. Patch the mobile device's OS
D. Block third-party applications

Answer: D

Explanation:
Blocking third-party applications would be the best way to mitigate future attacks on company-owned mobile devices that are used by employees to collect data
from clients in the field. Third-party applications are applications that are not developed or authorized by the device manufacturer or operating system provider1.
Third-party applications can pose a security risk for mobile devices, as they may contain malware, spyware, or other malicious code that can compromise the
device or its data2. Blocking third-party applications can help prevent employees from installing unauthorized or untrusted applications on company-owned mobile
devices and reduce the attack surface.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

NEW QUESTION 193

An organization has the following policy statements:
• AlI emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant.
•AM network activity will be logged and monitored.
• Confidential data will be tagged and tracked
• Confidential data must never be transmitted in an unencrypted form.
• Confidential data must never be stored on an unencrypted mobile device. Which of the following is the organization enforcing?

A. Acceptable use policy

B. Data privacy policy
C. Encryption policy
D. Data management, policy

Answer: B

Explanation:
Data privacy policy is the organization’s policy that defines how it collects, uses, stores, and shares personal data of its customers, employees, or other
stakeholders. Data privacy policy also covers how the organization complies with relevant data protection laws and regulations, such as the General Data
Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). The policy statements listed in the question are examples of data privacy policy
provisions that aim to protect the confidentiality, integrity, and availability of personal data.

NEW QUESTION 196

A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements:
• The partners' PCs must not connect directly to the laboratory network.
• The tools the partners need to access while on the laboratory network must be available to all partners
• The partners must be able to run analyses on the laboratory network, which may take hours to complete Which of the following capabilities will MOST likely meet
the security objectives of the request?

A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools tor analysis
C. Deployment of a firewall to allow access to the laboratory network and use of VDI In persistent mode to provide the necessary tools for analysis
D. Deployment of a jump box to allow access to the Laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis

Answer: D

Explanation:
A jump box is a system that is connected to two networks and acts as a gateway or intermediary between them 1. A jump box can help to isolate and secure a
network by limiting the direct access to it from other networks.
A jump box can also help to monitor and audit the traffic and activity on the network. A VDI (Virtual Desktop
Infrastructure) is a technology that allows users to access virtual desktops that are hosted on a server2. A VDI can help to provide users with the necessary tools
and applications for analysis without installing them on their own PCs. A VDI can also help to reduce the maintenance and management costs of the desktops. A
VDI can operate in two modes: persistent and non-persistent. In persistent mode, each user has a dedicated virtual desktop that retains its settings and data
across sessions. In non-persistent mode, each user has a temporary virtual desktop that is deleted or reset after each session3. In this scenario, deploying a jump
box to allow access to the laboratory network and using VDI in non-persistent mode can meet the security objectives of the request. The jump box can prevent the
partners’ PCs from connecting directly to the laboratory network and reduce the risk of unauthorized access or compromise. The VDI in non-persistent mode can
provide the necessary tools for analysis without storing any data on the partners’ PCs or the virtual desktops. The VDI in non-persistent mode can also allow the
partners to run long analyses without losing their progress or results. Deploying a firewall (B) may not be sufficient or effective, as a firewall only filters or blocks
traffic based on rules and does not provide access or tools for analysis. Using VDI in persistent mode (A) © may not be secure or efficient, as persistent mode
stores data on the virtual desktops that may be sensitive or confidential.
References: 1: https://www.techrepublic.com/article/jump-boxes-vs-firewalls/ 2:
https://www.techopedia.com/definition/26139/virtual-desktop-infrastructure-vdi 3: https://www.techopedia.com/definition/31686/resource-exhaustion

NEW QUESTION 198

A manufacturing company uses a third-party service provider lor Tier 1 security support One of the requirements is that the provider must only source talent from
its own country due to geopolitical and national security interests Which of the following can the manufacturing company implement to ensure the third-party
service provider meets this requirement?

A. Implement a secure supply chain program with governance

B. Implement blacklisting for IP addresses from outside the country
C. Implement strong authentication controls for all contractors
D. Implement user behavior analytics for key staff members

Answer: A

Explanation:
Implementing a secure supply chain program with governance would be the best way to ensure the third-party service provider meets the requirement of only
sourcing talent from its own country. A secure supply chain program is a set of policies, procedures, and controls that aim to protect the integrity and security of the
products and services delivered by third-party vendors. A secure supply chain program can help mitigate the risks of geopolitical and national security interests by
verifying the origin, identity, and trustworthiness of the vendors and their employees1. Governance is a key component of a secure supply chain program, as it
provides oversight, accountability, and enforcement of the policies and procedures.

NEW QUESTION 202

An organization is performing a risk assessment to prioritize resources for mitigation and remediation based on impact. Which of the following metrics, in addition
to the CVSS for each CVE, would best enable the organization to prioritize its efforts?

A. OS type
B. OS or application versions
C. Patch availability
D. System architecture
E. Mission criticality

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Answer: C

Explanation:
A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and vulnerabilities that may affect an organization’s assets,
operations, or objectives. A risk assessment matrix is a tool that can help prioritize the risks based on their likelihood and impact1.
The CVSS (Common Vulnerability Scoring System) is a standard framework for rating the severity of vulnerabilities in software systems. The CVSS provides a
numerical score from 0 to 10, as well as a qualitative rating from Low to Critical, based on the characteristics and consequences of the vulnerability2.
However, the CVSS score alone may not be sufficient to determine the priority of mitigation and remediation actions for each vulnerability. Other factors that may
influence the decision include:
Patch availability: This metric indicates whether there is a fix or update available for the vulnerability from the vendor or developer. Patch availability can affect
the urgency and feasibility of remediation, as well as the risk exposure and potential damage of exploitation. For example, a vulnerability with a high CVSS score
but with a readily available patch may be less critical than a vulnerability with a lower CVSS score but with no patch available3.
Mission criticality: This metric reflects the importance and value of the asset or system affected by the vulnerability to the organization’s mission, goals, or
functions. Mission criticality can affect the impact and priority of remediation, as well as the risk tolerance and acceptance level of the organization. For example, a
vulnerability with a high CVSS score but affecting a non-essential system may be less critical than a vulnerability with a lower CVSS score but affecting a core
system4.
OS type: This metric indicates the operating system (OS) of the asset or system affected by the vulnerability. OS type can affect the likelihood and complexity
of exploitation, as well as the availability and compatibility of patches or mitigations. For example, a vulnerability with a high CVSS score but affecting an
uncommon or unsupported OS may be less critical than a vulnerability with a lower CVSS score but affecting a widely used or supported OS3.
OS or application versions: This metric indicates the specific version of the OS or application affected by the vulnerability. OS or application versions can affect
the applicability and relevance of the vulnerability, as well as the availability and compatibility of patches or mitigations. For example, a vulnerability with a high
CVSS score but affecting an outdated or obsolete version may be less critical than a vulnerability with a lower CVSS score but affecting a current or popular
version3.
System architecture: This metric indicates the design and configuration of the asset or system affected by the vulnerability. System architecture can affect the
exposure and accessibility of the vulnerability, as well as the effectiveness and efficiency of patches or mitigations. For example, a vulnerability with a high CVSS
score but affecting an isolated or segmented system may be less critical than a vulnerability with a lower CVSS score but affecting an interconnected or integrated
system3.
Therefore, to best enable the organization to prioritize its efforts based on impact, patch availability is one of the most important metrics to consider in addition to
the CVSS score for each CVE (Common Vulnerabilities and Exposures). Patch availability can directly influence the risk level and remediation strategy for each
vulnerability.

NEW QUESTION 203

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with
finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of
action?

A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Answer: A

Explanation:
Automating the use of a hashing algorithm after verified users make changes to their data is an appropriate course of action to verify that a user’s data is not
altered without the user’s consent. Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file or a message. Hashing
can help to verify the data integrity by comparing the hash values of the original and modified data. If the hash values match, then the data has not been altered
without the user’s consent. If the hash values differ, then the data may have been tampered with or corrupted .

NEW QUESTION 208

To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security
policies?

A. SCAP
B. SAST
C. DAST
D. DACS

Answer: A

Explanation:
SCAP is a protocol designed to assess the security compliance of computers and other devices. It works by scanning systems against security policies, and can
help verify that the scanned device meets security requirements. Here is a link to the CompTIA CySA+ Guide's Chapter 5 - Access Controls for more information:
https://certification.comptia.org/docs/default-source/exam-objectives/cs0-002.pdf

NEW QUESTION 212

A company's application development has been outsourced to a third-party development team. Based on the SLA. The development team must follow industry
best practices for secure coding. Which of the following is the BEST way to verify this agreement?

A. Input validation
B. Security regression testing
C. Application fuzzing
D. User acceptance testing
E. Stress testing

Answer: B

Explanation:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Detailed
Security regression testing is a type of testing that verifies that the security features and functionality of an application are not compromised or broken by any
changes or updates in the code2. Security regression testing can help to ensure that the application follows industry best practices for secure coding and does not
introduce any new vulnerabilities or weaknesses. Security regression testing can be performed manually or automatically using tools or scripts that check for
common security flaws and compliance with security standards. Security regression testing can also help to validate the error-handling capabilities of an
application by testing how it responds to different types of inputs and scenarios. Input validation (A) is a technique that checks whether the inputs to an application
are valid and expected before processing them3. Input validation can help to prevent some types of security attacks, such as injection attacks or buffer overflows,
but it is not a way to verify that an application follows industry best practices for secure
coding. Input validation is part of secure coding, not a way to test it. Application fuzzing © is a technique that tests an application by sending random or malformed
inputs to it and observing its behavior4. Application fuzzing can help to discover some types of security vulnerabilities, such as memory leaks or crashes, but it is
not a comprehensive way to verify that an application follows industry best practices for secure coding. Application fuzzing may not cover all possible inputs and
scenarios and may not check for compliance with security standards. User acceptance testing (D) is a technique that tests an application by involving end users or
customers in evaluating its functionality and usability. User acceptance testing can help to ensure that an application meets the user requirements and
expectations, but it is not a reliable way to verify that an application follows industry best practices for secure coding. User acceptance testing may not focus on
security aspects and may not detect subtle or hidden security flaws. Stress testing (E) is a technique that tests an application by subjecting it to high levels of load
or demand. Stress testing can help to evaluate the performance and reliability of an application under extreme conditions, but it is not a relevant way to verify that
an application follows industry best practices for secure coding. Stress testing does not check for security issues and may not reflect normal usage patterns.
References: 2: https://www.techopedia.com/definition/31686/resource-exhaustion 3:
https://www.techopedia.com/definition/13493/penetration-testing 4: https://www.techopedia.com/definition/25888/security-development-lifecycle-sdl :
https://www.techopedia.com/definition/24771/technical-controls : https://www.techopedia.com/definition/32088/vm-escape

NEW QUESTION 215

A security analyst is trying to track physical locations of threat actors via SIEM log information. However, correlating IP addresses with geolocation is taking a long
time, so the analyst asks a security engineer to add geolocation to the SIEM tool. This is an example of using:

A. security orchestration, automation, and response.

B. continuous integration.
C. data enrichment.
D. threat feeds.

Answer: C

Explanation:
Data enrichment is a process that adds event and non-event contextual information to security event data in order to transform raw data into meaningful
insights123. Geolocation is one example of contextual information that can be used to enrich security event data, such as IP addresses, and provide more
information about the physical locations of threat actors. Data enrichment can help security analysts perform threat detection, threat hunting, and incident response
more effectively and efficiently.

NEW QUESTION 216

industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacks used privilege escalation to gain access to
SCADA administration and access management solutions would help to mitigate this risk?

A. Multifactor authentication
B. Manual access reviews
C. Endpoint detection and response
D. Role-based access control

Answer: D

Explanation:
Role-based access control (RBAC) is a method of restricting access to resources based on the roles of users within an organization. RBAC assigns permissions
and privileges to roles, rather than individual users, and grants access based on the principle of least privilege3
RBAC can help mitigate the risk of privilege escalation attacks on SCADA devices by ensuring that only authorized users have access to SCADA administration
and management functions, and that they have the minimum level of access required to perform their tasks.

NEW QUESTION 218

A security analyst is reviewing the network security monitoring logs listed below:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Which of the following is the analyst most likely observing? (Select two).

A. 10.1.1.128 sent potential malicious traffic to the web server.

B. 10.1.1.128 sent malicious requests, and the alert is a false positive
C. 10.1.1.129 successfully exploited a vulnerability on the web server
D. 10.1.1.129 sent potential malicious requests to the web server
E. 10.1.1.129 can determine mat port 443 is being used
F. 10.1.1.130 can potentially obtain information about the PHP version

Answer: DF

Explanation:
A security analyst is reviewing the network security monitoring logs listed below and is most likely observing that 10.1.1.129 sent potential malicious requests to
the web server and that 10.1.1.130 can potentially obtain information about the PHP version. The logs show that 10.1.1.129 sent two requests to the web server
with suspicious parameters, such as “union select” and “or 1=1”, which are commonly used for SQL injection attacks. The logs also show that 10.1.1.130 sent a
request to the web server with a parameter “phpinfo”, which is a function that displays information about the PHP configuration and environment, which can be
useful for attackers to find vulnerabilities or exploit them. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 8;
https://owasp.org/www-community/attacks/SQL_Injection; https://www.php.net/manual/en/function.phpinfo.php

NEW QUESTION 221

A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?
A)

B)

C)

D)

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation:
Option C shows a device that can perform a forensic copy of a hard drive. A forensic copy, also known as a forensic image or a bit-stream image, is an exact,
unaltered digital copy of a piece of digital evidence. A forensic copy captures everything on the hard drive, including active and latent data, and preserves the
integrity of the original evidence. A forensic copy can be used for forensic analysis without risking any changes to the original drive1. Option C shows a device that
can connect to two hard drives and create a
forensic copy from one drive to another using a write-blocker. A write-blocker is a tool that prevents any data from being written to the destination drive, ensuring
that only a read-only copy is made2.

NEW QUESTION 225

During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the
hard drive that needs to be checked. Which of the following, should the analyst use to extract human-readable content from the partition?

A. strings
B. head

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

C. fsstat
D. dd

Answer: A

Explanation:
The strings command is a Linux utility that can extract human-readable content from any file or partition3. It can be used to analyze a Linux swap partition by
finding text strings that may indicate malicious activity or compromise4. The head command (B) can only display the first few lines of a file or partition, which may
not contain any useful information. The fsstat command © can only display file system statistics such as size, type, and layout, which may not reveal any human-
readable content. The dd command (D) can only copy or convert a file or partition, which may not extract any human-readable content.
References: 3: https://linux.die.net/man/1/strings 4: https://www.linuxjournal.com/content/using-strings-command

NEW QUESTION 227

A forensics investigator is analyzing a compromised workstation. The investigator has cloned the hard drive and needs to verify that a bit-level image copy of a
hard drive is an exact clone of the original hard drive that was collected as evidence. Which of the following should the investigator do?

A. Insert the hard drive on a test computer and boot the computer.
B. Record the serial numbers of both hard drives.
C. Compare the file-directory "sting of both hard drives.
D. Run a hash against the source and the destination.

Answer: D

Explanation:
A hash is a mathematical function that produces a unique value for a given input. A hash can be used to verify that a bit-level image copy of a hard drive is an
exact clone of the original hard drive by comparing the hash values of both drives. If the hash values match, then the drives are identical. If the hash values differ,
then there is some discrepancy between the drives. Inserting the hard drive on a test computer and booting the computer, recording the serial numbers of both
hard drives, or comparing the file-directory listing of both hard drives are not reliable methods to verify that a bit-level image copy of a hard drive is an exact clone
of the original hard drive. Reference: https://www.forensicswiki.org/wiki/Hashing

NEW QUESTION 232

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs The analyst observes the following
response codes:
• 20% of the logs are 403
• 20% of the logs are 404
• 50% of the logs are 200
• 10% of the logs are other codes
The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the
source of the activity?

A. cat access_log Igrep " 403 "

B. cat access_log Igrep " 200 "
C. cat access_log Igrep " 100 "
D. cat access_log Igrep " 4 04 "
E. cat access_log Igrep " 204 "

Answer: B

Explanation:
Requests sent from the same IP address using different user agents are likely to be malicious or suspicious, as they indicate that an attacker is trying to evade
detection or bypass security controls by changing their browser or device identification. These requests may indicate that an attacker is using automated tools or
scripts to scan or attack the web server.
Requests identified by a threat intelligence service with a bad reputation are also likely to be malicious or suspicious, but they are not the source of the activity, as
they originate from different IP addresses. These requests may indicate that an attacker is trying to exploit a vulnerability or perform reconnaissance on the web
server.
Requests blocked by the web server per the input sanitization are not likely to be the source of the activity, as they indicate that the web server has successfully
prevented an attack by validating and filtering any malicious input from the requests. These requests may indicate that an attacker is trying to inject malicious code
or commands into the web server.
Failed log-in attempts against the web application are not likely to be the source of the activity, as they indicate that the web application has successfully prevented
unauthorized access by verifying and rejecting any invalid credentials from the requests. These requests may indicate that an attacker is trying to guess or brute-
force passwords or usernames for the web application.
Requests sent by NICs with outdated firmware are not likely to be the source of the activity, as they indicate that some devices on the network have not been
updated with the latest security patches or features for their network interface cards (NICs). These requests may indicate that some devices are vulnerable to
network attacks or have performance issues.
Existence of HTTP/501 status codes generated to the same IP address are not likely to be the source of the activity, as they indicate that the web server has
encountered an error or does not support a request method from the client. These requests may indicate that an attacker is trying to use an invalid or unsupported
method to access the web server.

NEW QUESTION 233

Which of the following is the BEST option to protect a web application against CSRF attacks?

A. Update the web application to the latest version.

B. Set a server-side rate limit for CSRF token generation.
C. Avoid the transmission of CSRF tokens using cookies.
D. Configure the web application to only use HTTPS and TLS 1.3.

Answer: C

Explanation:
CSRF tokens are random values that are generated by the server and included in requests that perform

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

state-changing actions. They are used to prevent CSRF attacks by verifying that the request originates from a legitimate source. However, if the CSRF tokens are
transmitted using cookies, they are vulnerable to being stolen or forged by an attacker who can exploit other vulnerabilities, such as cross-site scripting (XSS) or
cookie injection. Therefore, a better option is to avoid the transmission of CSRF tokens using cookies and use other methods, such as hidden form fields or custom
HTTP headers. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 11;
https://owasp.org/www-community/attacks/csrf

NEW QUESTION 236

A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has
asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the best way to achieve this goal?

A. Focus on incidents that have a high chance of reputation harm.

B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support.

Answer: C

Explanation:
An incident response plan should cover the most important and likely scenarios that could compromise the security and operations of an organization. According to
various sources of best practice1s23, an incident response plan should start by conducting a risk assessment to identify potential threats and vulnerabilities, and
prioritize the critical systems that need to be protected and restored in case of an incident. Focusing on incidents that affect critical systems ensures that the
incident response plan covers the most severe and impactful situations that could harm the organization’s mission, reputation, or legal obligations.

NEW QUESTION 239

A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would
most likely decrease the number of false positives?

A. Manual validation
B. Penetration testing
C. A known-environment assessment
D. Credentialed scanning

Answer: D

Explanation:
Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the target systems and perform a more thorough and
accurate assessment of their security posture. Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access more
information and resources on the systems, such as configuration files, registry keys, installed software, patches, and permissions .

NEW QUESTION 244

A cybersecurity analyst inspects DNS logs on a regular basis to identify possible IOCs that are not triggered by known signatures. The analyst reviews the
following log snippet:

Which of the following should the analyst do next based on the information reviewed?

A. The analyst should disable DNS recursion.

B. The analyst should block requests to no—thank
C. invalid.
D. The analyst should disconnect host 192.168.1.67.
E. The analyst should sinkhole 102.100.20.20.
F. The analyst should disallow queries to the 8.8.8.8 resolver.

Answer: B

Explanation:
The correct answer is B. The analyst should block requests to no-thanks.invalid. The log snippet shows a DNS query from host 192.168.1.67 to the public resolver
8.8.8.8 for the domain name no-thanks.invalid, which is resolved to the IP address 102.100.20.20. This is a possible indicator of compromise (IOC), as
no-thanks.invalid is a known malicious domain that is used by attackers to exfiltrate data or execute

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

commands on compromised hosts1. The analyst should block requests to this domain to prevent further communication with the attacker’s server and investigate
the host 192.168.1.67 for signs of infection.
* A. The analyst should disable DNS recursion is not correct. DNS recursion is a process where a DNS server queries other DNS servers on behalf of a client until
it finds the authoritative answer for a domain name2.
Disabling DNS recursion would prevent the DNS server from resolving any domain names that are not in its cache or zone files, which would affect the normal
functionality of the network and the internet access of the clients.
* C. The analyst should disconnect host 192.168.1.67 is not correct. Disconnecting host 192.168.1.67 would stop the communication with the malicious domain,
but it would also disrupt the legitimate activities of the host and its user. Moreover, disconnecting the host would not remove the malware or root cause of the
compromise, and it would not prevent the host from reconnecting to the malicious domain once it is online again.
* D. The analyst should sinkhole 102.100.20.20 is not correct. Sinkholing is a technique that redirects malicious or unwanted traffic to a controlled destination, such
as a fake or isolated server3. Sinkholing 102.100.20.20 would prevent the communication with the malicious domain, but it would also require access and control
over the public resolver 8.8.8.8, which is not owned or managed by the analyst or the company.
* E. The analyst should disallow queries to the 8.8.8.8 resolver is not correct. Disallowing queries to the 8.8.8.8 resolver would prevent the communication with the
malicious domain, but it would also affect the resolution of other legitimate domain names that are not in the local DNS server’s cache or zone files.
* 1: DNS Tunneling: how DNS can be (ab)used by malicious actors 2: What Is DNS Recursion? 3: What Sinkhole Attack?

NEW QUESTION 249

Which of the following is the primary reason financial institutions may share up-to-date threat intelligence information on a secure feed that is dedicated to their
sector?

A. To augment information about common malicious actors and indicators of compromise

B. To prevent malicious actors from knowing they can defend against malicious attacks
C. To keep other industries from accessing information meant for financial institutions
D. To focus on attacks specifically targeted at their customers’ mobile applications

Answer: A

Explanation:
This is the primary reason why financial institutions may share up-to-date threat intelligence information on a secure feed that is dedicated to their sector. Threat
intelligence is the collection, analysis, and dissemination of information about current or potential threats to an organization’s assets, operations, or reputation. By
sharing threat intelligence information, financial institutions can benefit from the collective knowledge, experience, and capabilities of their peers and partners, and
enhance their situational awareness, threat detection, and incident response. Sharing threat intelligence information can also help financial institutions identify
common attack patterns, trends, and techniques, as well as the malicious actors and indicators of compromise (IOCs) associated with them. IOCs are pieces of
forensic data that can be used to identify potentially malicious activities or intrusions on a network or system, such as IP addresses, domains, URLs, file hashes, or
email addresses

NEW QUESTION 252

An organization supports a large number of remote users. Which of the following is the best option to protect the data on the remote users' laptops?

A. Require the use of VPNs.

B. Require employees to sign an NDA.
C. Implement a DLP solution.
D. Use whole disk encryption.

Answer: D

Explanation:
Using whole disk encryption is the best option to protect the data on the remote users’ laptops. Whole disk encryption is a technique that encrypts all data on a
hard disk drive, including the operating system, applications and files. Whole disk encryption can prevent unauthorized access to the data if the laptop is lost,
stolen or compromised. Whole disk encryption can also protect the data from physical attacks, such as removing the hard disk and connecting it to another device .

NEW QUESTION 257

Wncn ol the following provides an automated approach 10 checking a system configuration?

A. SCAP
B. CI/CD
C. OVAL
D. Scripting
E. SOAR

Answer: A

Explanation:
SCAP stands for Security Content Automation Protocol, which is a set of standards and specifications that allows automated configuration and vulnerability
management of systems. SCAP provides an automated approach to checking a system configuration by using standardized expressions and formats to evaluate
the system’s compliance with predefined policies or benchmarks. CI/CD, OVAL, scripting, or SOAR are other terms related to automation or security, but they do
not provide an automated approach to checking a system configuration. Reference: https://csrc.nist.gov/projects/security-content-automation-protocol

NEW QUESTION 262

An organization has specific technical nsk mitigation configurations that must be implemented before a new server can be approved for production Several critical
servers were recently deployed with the antivirus missing unnecessary ports disabled and insufficient password complexity Which of the following should the
analyst recommend to prevent a recurrence of this risk exposure?

A. Perform password-cracking attempts on all devices going into production

B. Perform an Nmap scan on all devices before they are released to production
C. Perform antivirus scans on all devices before they are approved for production
D. Perform automated security controls testing of expected configurations pnor to production

Answer: D

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Explanation:
Automated security controls testing is a method that uses tools or scripts to verify that the security controls of a system or device are configured correctly and
comply with the organization’s policies and standards. Performing automated security controls testing of expected configurations prior to production would help
prevent a recurrence of the risk exposure caused by missing antivirus, unnecessary ports enabled, and insufficient password complexity. Performing password-
cracking attempts, Nmap scans, or antivirus scans on all devices before they are released to production are other methods that can help detect some security
issues, but they are not as comprehensive or efficient as automated security controls testing. Reference:
https://www.nist.gov/system/files/documents/2017/04/28/sp800-115.pdf

NEW QUESTION 265

A forensic analyst is conducting an investigation on a compromised server Which of the following should the analyst do first to preserve evidence''

A. Restore damaged data from the backup media

B. Create a system timeline
C. Monitor user access to compromised systems
D. Back up all log files and audit trails

Answer: D

Explanation:
A forensic analyst is conducting an investigation on a compromised server. The first step that the analyst should do to preserve evidence is to back up all log files
and audit trails. This will ensure that the analyst has a copy of the original data that can be used for analysis and verification. Backing up the log files and audit
trails will also prevent any tampering or modification of the evidence by the attacker or other parties. The other options are not the first steps or may alter or destroy
the evidence. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 16;
https://www.nist.gov/publications/guide-collection-and-preservation-digital-evidence

NEW QUESTION 266

An analyst Is reviewing a web developer's workstation for potential compromise. While examining the workstation's hosts file, the analyst observes the following:

Which of the following hosts file entries should the analyst use for further investigation?

A. ::1
B. 127.0.0.1
C. 192.168.3.249
D. 198.51.100.5

Answer: D

Explanation:
The hosts file is a text file that maps hostnames to IP addresses, and it can be used to override DNS resolution. The hosts file entries that should be used for
further investigation are the ones that point to external or suspicious IP addresses, such as 198.51.100.5, which is a reserved IP address for documentation
purposes. The other entries are either loopback addresses (::1 and 127.0.0.1) or internal network addresses (192.168.3.249), which are less likely to be malicious.

NEW QUESTION 268

A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would
be BEST suited to determine the breach notification requirements?

A. Legal counsel
B. Chief Security Officer
C. Human resources
D. Law enforcement

Answer: A

Explanation:
A breach notification is a communication to affected individuals or entities that informs them of a security incident involving their personal or sensitive information.
A breach notification may include details such as what information was compromised, when and how the incident occurred, what actions are being taken to
mitigate the impact, and what steps the recipients should take to protect themselves3
A breach notification may be required by law or regulation, depending on the type and location of the information involved and the jurisdiction of the affected
parties. Different countries or regions may have different breach notification requirements, such as who must be notified, when, how, and what information must be
disclosed4
Therefore, the best role to determine the breach notification requirements for a company that experienced a breach of sensitive information affecting customers
across multiple geographical regions is legal counsel. Legal counsel can advise the company on its legal obligations and liabilities, as well as help draft and deliver
appropriate breach notifications.

NEW QUESTION 273

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side
vulnerabilities:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Which of the following is the MOST likely solution to the listed vulnerability?

A. Enable the browser's XSS filter.

B. Enable Windows XSS protection
C. Enable the browser's protected pages mode
D. Enable server-side XSS protection

Answer: A

Explanation:
Enabling the browser’s XSS filter would be the most likely solution to the listed vulnerability. The vulnerability is a reflected cross-site scripting (XSS) attack, which
occurs when a malicious script is injected into a web page that reflects user input back to the browser without proper validation or encoding. The malicious script
can then execute in the browser and perform various actions, such as stealing cookies, redirecting to malicious sites, or displaying fake content2. Enabling the
browser’s XSS filter can help prevent reflected XSS attacks by detecting and blocking malicious scripts before they execute in the browser3.

NEW QUESTION 277

......

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CS0-002 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CS0-002-exam-dumps.html (372 New Questions)

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

CS0-002 Practice Exam Features:

* CS0-002 Questions and Answers Updated Frequently

* CS0-002 Practice Questions Verified by Expert Senior Certified Staff

* CS0-002 Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* CS0-002 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

100% Actual & Verified — Instant Download, Please Click

Order The CS0-002 Practice Test Here

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Powered by TCPDF (www.tcpdf.org)