CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 571:

  A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?

  A. Make a copy of the hard drive.

  B. Use write blockers.

  C. Run rm -R command to create a hash.

  D. Install it on a different machine and explore the content.

  Correct Answer: B

• Question 572:

  Which of the following best practices is used to identify areas in the network that may be vulnerable to penetration testing from known external sources?

  A. Blue team training exercises

  B. Technical control reviews

  C. White team training exercises

  D. Operational control reviews

  Correct Answer: A

• Question 573:

  Which of the following BEST describes the offensive participants in a tabletop exercise?

  A. Red team

  B. Blue team

  C. System administrators

  D. Security analysts

  E. Operations team

  Correct Answer: A

• Question 574:

  After analyzing and correlating activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of targeted attacks for the past three months. Until now, the attacks went unnoticed. This is an example of:

  A. privilege escalation.

  B. advanced persistent threat.

  C. malicious insider threat.

  D. spear phishing.

  Correct Answer: B

• Question 575:

  A system administrator who was using an account with elevated privileges deleted a large amount of log files generated by a virtual hypervisor in order to free up disk space. These log files are needed by the security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (Select two.)

  A. Succession planning

  B. Separation of duties

  C. Mandatory vacation

  D. Personnel training

  E. Job rotation

  Correct Answer: BD

• Question 576:

  A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

  

  Which of the following is the BEST action for the security analyst to take after analyzing the trends?

  A. Review the system configurations to determine if port 445 needs to be open.

  B. Assume there are new instances of Apache in the environment.

  C. Investigate why the number of open SSH ports varied during the six months.

  D. Raise a concern to a supervisor regarding possible malicious use Of port 8443.

  Correct Answer: C

  According to the CompTIA CySA+ Certification Exam Study guide, the best action for the security analyst to take after analyzing the trends is to investigate why the number of open SSH ports varied during the six months. This could indicate that malicious actors are attempting to gain access to the system, and it would be important to find out the root cause of this activity in order to prevent further intrusions. Additionally, raising a concern to a supervisor regarding possible malicious use of port 8443 would also be a prudent step, as this port is often used by attackers. As stated in the study guide, "Monitoring network ports and traffic can provide insight into suspicious activity and may be necessary to identify malicious activities". Additionally, "Ports can be used to gain unauthorized access to a system, so it is important to monitor the ports and to take steps to ensure that only necessary ports are open".

• Question 577:

  A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several hours. The administrator runs the task list

  / v command and receives the following output:

  

  Which of the following should a security analyst recognize as an indicator of compromise?

  A. dwm.exe being executed under the user context

  B. The high usage of vscode. exe * 32

  C. The abnormal behavior of paint.exe

  D. svchost.exe being executed as SYSTEM

  Correct Answer: C

  The tasklist command is used to display a list of all running processes on a system. In this output, the security analyst should recognize the high memory usage (1302103K) of vscode.exe * 32, which is an indication that this process is

  consuming a large amount of system resources. This could be a sign that the system has been compromised, as malware often uses system resources to perform malicious activities. Reference: CompTIA CySA+ Certification Exam Study

  Guide, S0-002, Chapter 2:

  Threats and Vulnerabilities, Objective 2.3: Given a scenario, analyze indicators of compromise and determine the type of malware, pp. 66-69.

• Question 578:

  Ensuring that all areas of security have the proper controls is a primary reason why organizations use:

  A. frameworks.

  B. directors and officers.

  C. incident response plans.

  D. engineering rigor.

  Correct Answer: A

  Ensuring that all areas of security have the proper controls is a primary reason why organizations use frameworks. Frameworks provide an organized structure for organizations to evaluate their security posture and implement the necessary security measures for their operations. Frameworks such as NIST, COBIT, and ISO 27001 provide guidance on how to develop, implement and monitor security policies, controls, and procedures for an organization. Additionally, frameworks provide a benchmark for organizations to measure their security posture against and create a roadmap for continued improvement.

• Question 579:

  An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

  From: [email protected]

  To: [email protected]

  Subject: [EXTERNAL] Gift card purchase ASAP

  Body:

  Please purchase gift cards to any major electronics store and reply with pictures of them to this email!

  Which of the following actions should the security analyst take?

  A. Release the email for delivery due to its importance

  B. Immediately contact a purchasing agent to expedite.

  C. Delete the email and block the sender.

  D. Purchase the gift cards and submit an expense report.

  Correct Answer: C

• Question 580:

  Which ol the following provides an automated approach 10 checking a system configuration?

  A. SCAP

  B. CI/CD

  C. OVAL

  D. Scripting

  E. SOAR

  Correct Answer: A