CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 811:

  An international company is implementing a marketing campaign for a new product and needs a security analyst to perform a threat-hunting process to identify possible threat actors. Which of the following should be the analyst's primary focus?

  A. Hacktivists

  B. Organized crime

  C. Nation-states

  D. Insider threats

  Correct Answer: B

• Question 812:

  A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take?

  A. Disable the appropriate settings in the administrative template of the Group Policy.

  B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.

  C. Modify the registry keys that correlate with the access settings for the System32 directory.

  D. Remove the user's permissions from the various system executables.

  Correct Answer: A

• Question 813:

  A security analyst notices the following proxy log entries:

  

  Which of the following is the user attempting to do based on the log entries?

  A. Use a DoS attack on external hosts.

  B. Exfiltrate data.

  C. Scan the network.

  D. Relay email.

  Correct Answer: C

  Explanation: Scanning the network is what the user is attempting to do based on the log entries. The log entries show that the user is sending ping requests to various IP addresses on different ports using a proxy server. Ping requests are a common network diagnostic tool that can be used to test network connectivity and latency by sending packets of data and measuring their response time. However, ping requests can also be used by attackers to scan the network and discover active hosts, open ports, or potential vulnerabilities .

• Question 814:

  An organization implemented an extensive firewall access-control blocklist to prevent internal network ranges from communicating with a list of IP addresses of known command-and-control domains A security analyst wants to reduce the load on the firewall. Which of the following can the analyst implement to achieve similar protection and reduce the load on the firewall?

  A. A DLP system

  B. DNS sinkholing

  C. IP address allow list

  D. An inline IDS

  Correct Answer: B

  Explanation: DNS sinkholing is a mechanism that can prevent internal network ranges from communicating with a list of IP addresses of known command-and-control domains by returning a false or controlled IP address for those domains. This can reduce the load on the firewall by intercepting the DNS requests before they reach the firewall and diverting them to a sinkhole server. The other options are not relevant or effective for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 9; https://www.enisa.europa.eu/topics/incident-response/glossary/dns-sinkhole

• Question 815:

  A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

  A. Manual validation

  B. Penetration testing

  C. A known-environment assessment

  D. Credentialed scanning

  Correct Answer: D

  Explanation: Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the target systems and perform a more thorough and accurate assessment of their security posture. Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access more information and resources on the systems, such as configuration files, registry keys, installed software, patches, and permissions . Reference: https://www.tenable.com/blog/credentialed-vulnerability-scanning-what-why- and-how

• Question 816:

  Which of the following software assessment methods world peak times?

  A. Security regression testing

  B. Stress testing

  C. Static analysis testing

  D. Dynamic analysis testing

  E. User acceptance testing

  Correct Answer: B

  Explanation: Stress testing is a software assessment method that tests how an application performs under peak times or extreme workloads. Stress testing can help to identify any performance issues, bottlenecks, errors or crashes that may occur when an application faces high demand or concurrent users. Stress testing can also help to determine the maximum capacity and scalability of an application . Reference: https://www.techopedia.com/definition/10339/memory-dump

• Question 817:

  A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability scan was completed:

  

  Which of the following options can the analyst conclude based on the provided output?

  A. The scanning vendor used robots to make the scanning job faster

  B. The scanning job was successfully completed, and no vulnerabilities were detected

  C. The scanning job did not successfully complete due to an out of scope error

  D. The scanner executed a crawl process to discover pages to be assessed

  Correct Answer: D

  Explanation: The output shows the result of using OWASP ZAP's Spider tab after a vulnerability scan was completed. The Spider tab allows users to crawl web applications and discover pages and resources that can be assessed for

  vulnerabilities. The output shows that the scanner discovered various pages under different directories, such as /admin/, /blog/, /contact/, etc., as well as some parameters and forms that can be used for testing inputs and outputs.

  References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9;

  https://www.zaproxy.org/docs/desktop/start/features/spider/

• Question 818:

  

  Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

  A. TLS_RSA_WITH_DES_CBC_SHA 56

  B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)

  C. TLS_RSA_WITH_AES_256_CBC_SHA 256

  D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

  Correct Answer: B

  Explanation: The line from this output that most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key is TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits). This line indicates that the cipher suite uses Diffie-Hellman ephemeral (DHE) key exchange with RSA authentication, AES 128-bit encryption with cipher block chaining (CBC) mode, and SHA-1 hashing. The DHE key exchange uses a 1024-bit Diffie-Hellman group, which is considered too weak for modern security standards and can be broken by attackers using sufficient computing power. The other lines indicate stronger cipher suites that use longer key lengths or more secure algorithms. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://learn.microsoft.com/en- us/windows/win32/secauthn/cipher-suites-in-schannel

• Question 819:

  Which of the following activities is designed to handle a control failure that leads to a breach?

  A. Risk assessment

  B. Incident management

  C. Root cause analysis

  D. Vulnerability management

  Correct Answer: B

  Incident management is a process that aims to handle a control failure that leads to a breach by restoring normal operations as quickly as possible and minimizing the impact and damage of the incident. Incident management involves activities such as identifying, analyzing, containing, eradicating, recovering, and learning from security incidents. Risk assessment, root cause analysis, and vulnerability management are other processes related to security management, but they are not designed to handle a control failure that leads to a breach. Reference: https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901

• Question 820:

  An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time. Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

  A. Requiring the use of the corporate VPN

  B. Requiring the screen to be locked after five minutes of inactivity

  C. Requiring the laptop to be locked in a cabinet when not in use

  D. Requiring full disk encryption

  Correct Answer: D

  Explanation: Full disk encryption (FDE) is a technical control that encrypts all the data on a disk drive, including the operating system and applications. FDE prevents unauthorized access to the data if the disk drive is lost or stolen, as it requires a password or key to decrypt the data. FDE can be implemented using software or hardware solutions and can protect data at rest on laptops and other devices. The other options are not technical controls or do not reduce the risk of data loss if a laptop is lost or stolen. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/security/information- protection/bitlocker/bitlocker-overview