Pass Exam Questions Efficiently With CS0-002 Questions (2026) [Q79-Q101]

Share

Pass Exam Questions Efficiently With CS0-002 Questions (2026) 

CS0-002 Questions - Truly Beneficial For Your CompTIA Exam 

NEW QUESTION # 79
A security analyst is reviewing the following server statistics:

Which of the following is MOST likely occurring?

  • A. Privilege escalation
  • B. Resource exhaustion
  • C. VM escape
  • D. Race condition

Answer: B


NEW QUESTION # 80
An organization wants to implement controls for protecting private information at rest. Which of the following would meet the organization's need?

  • A. Non-disclosure agreements
  • B. Data minimization
  • C. Retention policies
  • D. Encryption

Answer: D

Explanation:
The correct answer is D. Encryption. Encryption is a technical control that transforms data into an unreadable format using a secret key or algorithm. Encryption can protect data at rest by preventing unauthorized access, modification, or exfiltration of the data. Encryption can also protect data in transit and in use, depending on the type and level of encryption applied1.


NEW QUESTION # 81
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?

  • A. It supports rapid response and recovery during and following an incident
  • B. It enables the team to prioritize the focus areas and tactics within the company's environment
  • C. It allows analysts to receive routine updates on newly discovered software vulnerabilities
  • D. It provides criticality analyses for key enterprise servers and services

Answer: B


NEW QUESTION # 82
Which of the following is the most important reason to involve the human resources department in incident response?

  • A. To prevent Incident responders from Interacting directly with any users
  • B. To ensure the incident response process captures evidence needed in case of disciplinary actions
  • C. To better Inform recruiters during hiring so they can include incident response Interview questions
  • D. To validate that the incident response process meets the organization's best practices

Answer: B

Explanation:
The human resources department should be involved in incident response, to ensure that the incident response process captures evidence needed in case of disciplinary actions against any employees who may have caused or contributed to the incident, either intentionally or unintentionally. The human resources department can also help with enforcing policies and procedures, communicating with employees, and providing legal or ethical guidance.


NEW QUESTION # 83
Which of the following types of controls defines placing an ACL on a file folder?

  • A. Technical control
  • B. Operational control
  • C. Managerial control
  • D. Confidentiality control

Answer: A


NEW QUESTION # 84
A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session.
Which of the following is the BEST technique to address the CISO's concerns?

  • A. Use Wireshark to scan all traffic to and from the directory.
    Monitor the files for unauthorized changes.
  • B. Place a legal hold on the files.
    Require authorized users to abide by a strict time context access policy.
    Monitor the files for unauthorized changes.
  • C. Configure DLP to reject all changes to the files without pre-authorization.
    Monitor the files for unauthorized changes.
  • D. Regularly use SHA-256 to hash the directory containing the sensitive information.
    Monitor the files for unauthorized changes.

Answer: C


NEW QUESTION # 85
Which of the following threat classifications would MOST likely use polymorphic code?

  • A. Known threat
  • B. Advanced persistent threat
  • C. Zero-day threat
  • D. Unknown threat

Answer: C


NEW QUESTION # 86
A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.
Which of the following is the BEST mitigation to prevent unauthorized access?

  • A. Multifactor authentication
  • B. Single sign-on
  • C. Mandatory access control
  • D. Federation
  • E. Privileged access management

Answer: A


NEW QUESTION # 87
A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer?
(Choose two.)

  • A. Soliciting third-party audit reports on an annual basis
  • B. Utilizing DLP capabilities at both the endpoint and perimeter levels
  • C. Executing vendor compliance assessments against the organization's security controls
  • D. Maintaining and reviewing the organizational risk assessment on a quarterly basis
  • E. Executing NDAs prior to sharing critical data with third parties
  • F. Completing a business impact assessment for all critical service providers

Answer: C,F


NEW QUESTION # 88
A security analyst is investigate an no client related to an alert from the threat detection platform on a host (10.0 1.25) in a staging environment that could be running a cryptomining tool because it in sending traffic to an IP address that are related to Bitcoin.
The network rules for the instance are the following:

Which of the following is the BEST way to isolate and triage the host?

  • A. Remove rules 1.2. 3.4. and 5.
  • B. Remove rules 1.2. and 5.
  • C. Remove rules 1.4. and 5.
  • D. Remove rules 1.2. and 3.
  • E. Remove rules 1.2. 4. and 5.
  • F. Remove rules 4 and 5

Answer: B


NEW QUESTION # 89
As part of an organization's information security governance process, a Chief Information Security Officer
(CISO) is working with the compliance officer to update policies to include statements related to new
regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are
appropriately aware of changes to the policies?

  • A. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them
  • B. Post the policies on the organization's intranet and provide copies of any revised policies to all active
  • C. Require all employees to attend updated security awareness training and sign an acknowledgement
  • D. Conduct a risk assessment based on the controls defined in the newly revised policies

Answer: C


NEW QUESTION # 90
A development team uses open-source software and follows an Agile methodology with two-week sprints.
Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.
Which of the following should be done to correct the cause of the vulnerability?

  • A. Implement a software repository management tool.
  • B. Deploy a WAF in front of the application.
  • C. Instruct the developers to use input validation in the code.
  • D. Install a HIPS on the server.

Answer: A


NEW QUESTION # 91
During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs The analyst observes the following response codes:
* 20% of the logs are 403
* 20% of the logs are 404
* 50% of the logs are 200
* 10% of the logs are other codes
The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?

  • A. cat access_log Igrep " 204 "
  • B. cat access_log Igrep " 200 "
  • C. cat access_log Igrep " 4 04 "
  • D. cat access_log Igrep " 403 "
  • E. cat access_log Igrep " 100 "

Answer: B

Explanation:
Requests sent from the same IP address using different user agents are likely to be malicious or suspicious, as they indicate that an attacker is trying to evade detection or bypass security controls by changing their browser or device identification. These requests may indicate that an attacker is using automated tools or scripts to scan or attack the web server.
Requests identified by a threat intelligence service with a bad reputation are also likely to be malicious or suspicious, but they are not the source of the activity, as they originate from different IP addresses. These requests may indicate that an attacker is trying to exploit a vulnerability or perform reconnaissance on the web server.
Requests blocked by the web server per the input sanitization are not likely to be the source of the activity, as they indicate that the web server has successfully prevented an attack by validating and filtering any malicious input from the requests. These requests may indicate that an attacker is trying to inject malicious code or commands into the web server.
Failed log-in attempts against the web application are not likely to be the source of the activity, as they indicate that the web application has successfully prevented unauthorized access by verifying and rejecting any invalid credentials from the requests. These requests may indicate that an attacker is trying to guess or brute-force passwords or usernames for the web application.
Requests sent by NICs with outdated firmware are not likely to be the source of the activity, as they indicate that some devices on the network have not been updated with the latest security patches or features for their network interface cards (NICs). These requests may indicate that some devices are vulnerable to network attacks or have performance issues.
Existence of HTTP/501 status codes generated to the same IP address are not likely to be the source of the activity, as they indicate that the web server has encountered an error or does not support a request method from the client. These requests may indicate that an attacker is trying to use an invalid or unsupported method to access the web server.


NEW QUESTION # 92
A security analyst needs to perform a search for connections with a suspicious IP on the network traffic. The company collects full packet captures at the Internet gateway and retains them for one week. Which of the following will enable the analyst to obtain the BEST results?

  • A. tcpdump-n-rinternet.pcaphost<suspicious ip>
  • B. grep -a <suspicious ip> internet.pcap
  • C. npcapd internet.pcap | grep <suspicious ip>
  • D. strings internet.pcap | grep <suspicious ip>

Answer: A


NEW QUESTION # 93
In web application scanning, static analysis refers to scanning:

  • A. the compiled code of the application to detect possible issues.
  • B. an application that is installed on a system that is assigned a static IP.
  • C. the system for vulnerabilities before installing the application.
  • D. an application that is installed and active on a system.

Answer: C


NEW QUESTION # 94
While conducting research on malicious domains, a threat intelligence analyst received a blue screen of death. The analyst rebooted and received a message stating that the computer had been locked and could only be opened by following the instructions on the screen. Which of the following combinations describes the MOST likely threat and the PRIMARY mitigation for the threat?

  • A. Ransomware and update antivirus
  • B. Account takeover and data backups
  • C. Ransomware and full disk encryption
  • D. Ransomware and data backups

Answer: D


NEW QUESTION # 95
An analyst received an alert regarding an application spawning a suspicious command shell process Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

Which of the following was the suspicious event able to accomplish?

  • A. Bypass file access controls.
  • B. Impair defenses.
  • C. Implement beaconing.
  • D. Establish persistence.

Answer: D

Explanation:
The suspicious event was able to accomplish establishing persistence by creating a registry change that runs a command shell process every time a user logs on. The registry change modifies the Userinit value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key, which specifies what programs should run when a user logs on to Windows. By appending "cmd.exe," to the existing value, the event ensures that a command shell process will be launched every time a user logs on, which can allow the attacker to maintain access to the system or execute malicious commands. The other options are not related to the registry change. Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/win32/sysinfo/userinit-entry


NEW QUESTION # 96
A company's application development has been outsourced to a third-party development team. Based on the SLA.
The development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?

  • A. Security regression testing
  • B. Input validation
  • C. User acceptance testing
  • D. Application fuzzing
  • E. Stress testing

Answer: C


NEW QUESTION # 97
A security analyst receives an alert from the SIEM about a possible attack happening on the network The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66. which is part of the network 192 168 54 0/24. The analyst then pulls all the command history logs from that server and sees the following

Which of the following activities is MOST likely happening on the server?

  • A. Fuzzing
  • B. A vulnerability scan
  • C. A MUM attack
  • D. Enumeration

Answer: C


NEW QUESTION # 98
Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which of the following identity and access management solutions would help to mitigate this risk?

  • A. Endpoint detection and response
  • B. Role-based access control
  • C. Multifactor authentication
  • D. Manual access reviews

Answer: B

Explanation:
RBAC helps organizations manage access to critical infrastructure networks by assigning access based on roles. This allows organizations to control who can access specific resources and helps eliminate weak credentials that attackers could exploit. Manual reviews and endpoint detection and response can also help to mitigate risk, but role based access control is the best solution for this scenario.


NEW QUESTION # 99
Which of the following can detect vulnerable third-parly libraries before code deployment?

  • A. Impact analysis
  • B. Protocol analysis
  • C. Dynamic analysis
  • D. Static analysis

Answer: D


NEW QUESTION # 100
An organization has the following risk mitigation policies
* Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000
* Other nsk mitigation will be pnontized based on risk value.
The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

  • A. B, C, D, A
  • B. D, C, B, A
  • C. C. D, A, B
  • D. C, B, A, D
  • E. A, C, D, B

Answer: C


NEW QUESTION # 101
......

Truly Beneficial For Your CompTIA Exam: https://www.validbraindumps.com/CS0-002-exam-prep.html

Download CompTIA CS0-002 Sample Questions: https://drive.google.com/open?id=147yFAE5ItBbkeqeiSTSjWMr96xb5PhSB