• Home
  • Blogs
  • CS0-002 Exam Dumps Free Test Engine Verified By CompTIA CySA+ Certified Experts [Q129-Q154]

CS0-002 Exam Dumps Free Test Engine Verified By CompTIA CySA+ Certified Experts [Q129-Q154]

Share

CS0-002 Exam Dumps Free Test Engine Verified By CompTIA CySA+ Certified Experts

Use Real CompTIA Achieve the CS0-002 Dumps - 100% Exam Passing Guarantee

NEW QUESTION # 129
A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

  • A. The system is scanning ajgidwle.com for PII.
  • B. Data is being exfiltrated over DNS.
  • C. The system is running a DoS attack against ajgidwle.com.
  • D. Malware is attempting to beacon to 128.50.100.3.

Answer: A


NEW QUESTION # 130
A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

  • A. the time spent by analysts on each of the incidents.
  • B. detection and prevention capabilities to improve.
  • C. which systems were exploited more frequently.
  • D. which analysts require more training.
  • E. possible evidence that is missing during forensic analysis.

Answer: B


NEW QUESTION # 131
A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session.
Which of the following is the BEST technique to address the CISO's concerns?

  • A. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.
  • B. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.
  • C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy.
    Monitor the files for unauthorized changes.
  • D. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

Answer: C


NEW QUESTION # 132
During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to:

Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server?

  • A. FTP was allowed as being included in Seq 3 and Seq 4 of the ACL.
  • B. FTP was allowed in Seq 10 of the ACL.
  • C. FTP was allowed as being outbound from Seq 9 of the ACL.
  • D. FTP was explicitly allowed in Seq 8 of the ACL.

Answer: D


NEW QUESTION # 133
A cybersecurity analyst is responding to an incident. The company's leadership team wants to attribute the incident to an attack group. Which of the following models would BEST apply to the situation?

  • A. MITRE ATT&CK
  • B. Kill chain
  • C. Diamond Model of Intrusion Analysis
  • D. Intelligence cycle

Answer: C


NEW QUESTION # 134
An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected A security analyst reviews the DNS entry and sees the following:
v=spfl ip4:180.10.6.5 ip4: 180.10.6.10 include: robusmail.com -all
The organization's primary mail server IP is 180.10 6.6, and the secondary mail server IP is 180.10.6.5. The organization's third-party mail provider is "Robust Mail" with the domain name robustmail.com.
Which of the following is the MOST likely reason for the rejected emails?

  • A. SPF version 1 does not support third-party providers
  • B. An incorrect IP version is being used.
  • C. The primary and secondary email server IP addresses are out of sequence.
  • D. The wrong domain name is in the SPF record.

Answer: D


NEW QUESTION # 135
A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no following should the analyst review FIRST?

  • A. Privileged accounts
  • B. The DNS configuration
  • C. The firewall ACL
  • D. The IDS rule set

Answer: D

Explanation:
The security analyst should review the IDS rule set first. The IDS (Intrusion Detection System) is a tool that monitors network traffic and alerts on any suspicious or malicious activity. The IDS rule set is a set of conditions or patterns that define what constitutes normal or abnormal behavior on the network. The IDS rule set can affect the number of security incidents being reported, as it determines what triggers an alert or not3. The security analyst should review the IDS rule set to check if it is up to date, accurate, and comprehensive. If the IDS rule set is outdated, inaccurate, or incomplete, it may miss some incidents or generate false positives or negatives.


NEW QUESTION # 136
A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:


Which of the following technologies would MOST likely be used to prevent this phishing attempt?

  • A. S/IMAP
  • B. STP
  • C. DMARC
  • D. DNSSEC

Answer: C

Explanation:
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is an email authentication protocol that helps prevent spoofing and phishing attacks by verifying that the sender's domain matches the domain in the email header. DMARC also provides a way for domain owners to specify how receivers should handle unauthenticated messages from their domain1


NEW QUESTION # 137
A cybersecurity analyst routinely checks logs, querying for login attempts. While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

  • A. Users 4 and 5 are using their credentials to transfer files to multiple servers.
  • B. An unauthorized user is using login credentials in a script.
  • C. A bot is running a brute-force attack in an attempt to log in to the domain.
  • D. Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

Answer: C


NEW QUESTION # 138
The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users.
The analyst has determined the email includes an attachment named invoice.zip that contains the following files:
Locky.js

xerty.ini

xerty.lib

Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices.
Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices?

  • A. Add the URL included in the .js file to the company's web proxy filter.
  • B. Set permissions on file shares to read-only.
  • C. Disable access to the company VPN.
  • D. Email employees instructing them not to open the invoice attachment.

Answer: D


NEW QUESTION # 139
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to the senior management team? (Select TWO).

  • A. Probability
  • B. Impact
  • C. Classification
  • D. Indicators of compromise
  • E. Attack vector
  • F. Adversary capability

Answer: B,F

Explanation:
Explanation
According to the CompTIA CySA+ (CS0-002) best practices, the most useful information data points to provide to the security manager for communicating the risk factors to senior management are the impact and adversary capability. The impact refers to the potential consequences of a successful attack or exploitation of a vulnerability, such as data loss or system compromise. The adversary capability refers to the ability of an attacker to exploit a vulnerability, including their technical expertise and resources. Together, these data points help to provide a complete picture of the risk associated with a vulnerability, and allow senior management to make informed decisions regarding risk mitigation and remediation. The other data points, such as probability, attack vector, classification, and indicators of compromise, can also be valuable, but the impact and adversary capability are considered the most critical for prioritizing risk mitigation efforts.


NEW QUESTION # 140
Understanding attack vectors and integrating intelligence sources are important components of:

  • A. risk management compliance.
  • B. a vulnerability management plan.
  • C. an incident response plan.
  • D. proactive threat hunting

Answer: D

Explanation:
threat hunting activities.
1. Establishing a hypothesis,
2. Profile threat actors/activities,
3. Threat hunting tactics,
4. Reducing attack surface,
5. Bundle critical systems/assets into groups/protected zones,
6. Attack vectors understood, assessed and addressed
7. Integrated intelligence
8. Improving detection capabilities.


NEW QUESTION # 141
A cyber-security analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?

  • A. Configure 802.1X and EAPOL across the network
  • B. Deploy network address protection with DHCP and dynamic VLANs.
  • C. Implement port security with one MAC address per network port of the switch.
  • D. Implement software-defined networking and security groups for isolation

Answer: A


NEW QUESTION # 142
An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message In addition to retraining the employee, which of the following would prevent this from happening in the future?

  • A. Remove all external recipients from the employee's address book
  • B. Set the outgoing mail filter to strip spreadsheet attachments from all messages.
  • C. Implement outgoing filter rules to quarantine messages that contain card data
  • D. Configure the outgoing mail filter to allow attachments only to addresses on the whitelist

Answer: D


NEW QUESTION # 143
A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

  • A. A control that demonstrates that the network security policy is reviewed and updated yearly
  • B. A control that demonstrates that access to a system is only allowed by using SSH
  • C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment
  • D. A control that demonstrates that all systems authenticate using the approved authentication method

Answer: C

Explanation:
A valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that the firewall rules are configured correctly and securely, and that they do not allow unnecessary or unauthorized access to the perimeter network. The other options are not compensating controls or do not address the risk of active reconnaissance. Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/compensating-controls


NEW QUESTION # 144
A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named Webserverlist. Xml. The host list is provided in a file named werbserverlist,text. Which of the fallowing Nmap commands would BEST accomplish this goal?
A)

B)

C)

D)

  • A. Option A
  • B. Option C
  • C. Option B
  • D. Option D

Answer: A


NEW QUESTION # 145
A system's authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now. The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:

Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

  • A. Remediate by going to the web config file, searching for the enforce HTTP validation setting, and manually updating to the correct setting.
  • B. Ignore it. This is false positive, and the organization needs to focus its efforts on other findings.
  • C. Ensure HTTP validation is enabled by rebooting the server.
  • D. Accept this risk for now because this is a "high" severity, but testing will require more than the four days available, and the system ATO needs to be competed.

Answer: A


NEW QUESTION # 146
While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly.
An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite.
Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?

  • A. Perform a network scan and identify rogue devices that may be generating the observed traffic.
    Remove those devices from the network.
  • B. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.
  • C. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.
  • D. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.

Answer: D


NEW QUESTION # 147
A security analyst receives an alert from the SIEM about a possible attack happening on the network The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66. which is part of the network 192 168 54 0/24. The analyst then pulls all the command history logs from that server and sees the following

Which of the following activities is MOST likely happening on the server?

  • A. Enumeration
  • B. A vulnerability scan
  • C. A MITM attack
  • D. Fuzzing

Answer: C


NEW QUESTION # 148
A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

  • A. tcpdump
  • B. Aircrak-ng
  • C. Nessus
  • D. Nikto

Answer: B


NEW QUESTION # 149
A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

  • A. Data is being exfiltrated over DNS.
  • B. The system is running a DoS attack against ajgidwle.com.
  • C. Malware is attempting to beacon to 128.50.100.3.
  • D. The system is scanning ajgidwle.com for PII.

Answer: A


NEW QUESTION # 150
During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test questioned the legitimacy of the team.
Which of the following information should be shown to the officer?

  • A. Scope of work
  • B. Team reporting
  • C. Timing information
  • D. Letter of engagement

Answer: D


NEW QUESTION # 151
A security analyst is running a tool against an executable of an unknown source. The Input supplied by the tool to the executable program and the output from the executable are shown below:

Which of the following should the analyst report after viewing this Information?

  • A. A dynamic library that is needed by the executable a missing
  • B. The executable attempted to execute a malicious command
  • C. Input can be crafted to trigger an Infection attack in the executable
  • D. The toot caused a buffer overflow in the executable's memory

Answer: C


NEW QUESTION # 152
A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking
http://<malwaresource>/a.php in a phishing email.
To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

  • A. email server that automatically deletes attached executables.
  • B. firewall to block connection attempts to dynamic DNS hosts.
  • C. proxy to block all connections to <malwaresource>.
  • D. IDS to match the malware sample.

Answer: C


NEW QUESTION # 153
During a red team engagement, a penetration tester found a production server. Which of the following portions of the SOW should be referenced to see if the server should be part of the testing engagement?

  • A. Exploitation
  • B. Communication
  • C. Scope
  • D. Authorization

Answer: C


NEW QUESTION # 154
......


CompTIA CS0-002 certification exam is a challenging exam that requires extensive preparation. Candidates need to have a solid foundation in cybersecurity concepts and be able to apply that knowledge to real-world scenarios. They also need to be familiar with the latest cybersecurity technologies and tools. There are many resources available to help candidates prepare for the exam, including study guides, practice exams, and training courses.

 

Check the Free demo of our CS0-002 Exam Dumps with 277 Questions: https://freecert.test4sure.com/CS0-002-exam-materials.html

Related Blogs

more
CompTIA CS0-002 Certification Practice Exam

Copyright © 2026 TEST4SURE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.