CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Free Practice Exam Questions (2025 Updated)

Telnet is a command-line tool that can be used to connect to a remote host on a specified port, and to send or receive data over that connection. Telnet can be used to obtain more information about the web-based services that are running on the target, by interacting with them or observing their responses. For example, telnet 10.79.95.173 443 would connect to the target on port 443, which is commonly used for HTTPS or SSL/TLS encrypted web traffic.

A managerial control is a function of management that involves setting performance standards, measuring performance, and taking corrective actions when necessary. A managerial control helps to regulate the organizational activities and ensure that they are aligned with the organizational goals and objectives1. One of the functions of a managerial control is to help design and implement the security planning, program development, and maintenance of the security life cycle. The security life cycle is a process that defines the phases of security activities from initiation to disposal2. A managerial control can help to establish the security policies, procedures, roles, and responsibilities for each phase of the security life cycle. A managerial control can also help to monitor and evaluate the security performance and effectiveness of each phase and take corrective actions if needed.

F. A reverse shell was used: A reverse shell is a technique that allows a remote attacker to execute commands on a compromised system by opening a connection from the target to the attacker’s machine. The image shows that the attacker used the netcat tool to create a reverse shell on host 192.168.1.210, which is running a web server on port 80. The attacker then used the reverse shell to access the /images folder and download a file named secret.jpg.

C. IP address 43.23.10.201 should be blocked at the firewall: IP address 43.23.10.201 is the source of the attack, as shown by the netstat command output in the image. The attacker used this IP address to connect to host 192.168.1.210 on port 80 and exploit a vulnerability in the web server software. Blocking this IP address at the firewall would prevent further attacks from this source.

Blocking third-party applications would be the best way to mitigate future attacks on company-owned mobile devices that are used by employees to collect data from clients in the field. Third-party applications are applications that are not developed or authorized by the device manufacturer or operating system provider1. Third-party applications can pose a security risk for mobile devices, as they may contain malware, spyware, or other malicious code that can compromise the device or its data2. Blocking third-party applications can help prevent employees from installing unauthorized or untrusted applications on company-owned mobile devices and reduce the attack surface.

Threat intelligence can be used to identify likely attack scenarios within an organization based on the organization’s specific vulnerabilities, assets, and threat landscape. Threat intelligence can help security teams anticipate and prepare for potential attacks, as well as detect and respond to ongoing attacks more effectively1. Threat intelligence can also provide insights into the threat actors, their motivations, and their tactics, techniques, and procedures (TTPs)2.

A vulnerability scan is a process of identifying and assessing known vulnerabilities in a system or network using automated tools or software1 A vulnerability scan can help improve the security posture of a vulnerability management program by detecting and prioritizing potential weaknesses that could be exploited by attackers. To increase the security posture of a vulnerability scan, the following actions can be taken:

Expand the ports being scanned to include all ports: This means scanning all possible ports on a system or network, not just the well-known or commonly used ones. This can help discover more vulnerabilities that may be hidden or overlooked on less frequently used ports.

Increase the scan interval to a number the business will accept without causing service interruption: This means scanning more frequently or regularly, but not so often that it causes performance issues or downtime for the system or network. This can help keep up with new vulnerabilities that may emerge over time and reduce the window of opportunity for attackers.

Enable authentication and perform credentialed scans: This means using login credentials or SSH keys on an asset to get deeper access to its data, processes, configurations, and vulnerabilities2 This can help discover more vulnerabilities that cannot be seen from the network, such as insecure versions of software or poor security permissions.

Change Management

o The process through which changes to the configuration of information systems are

monitored and controlled, as part of the organization's overall configuration

management efforts

o Each individual component should have a separate document or database record that

describes its initial state and subsequent changes

▪ Configuration information

▪ Patches installed

▪ Backup records

▪ Incident reports/issues

o Change management ensures all changes are planned and controlled to minimize risk of

a service disruption

Change management is a process that ensures changes to systems or processes are introduced in a controlled and coordinated manner. Change management helps to minimize the impact of changes on the business operations and avoid unintended consequences or errors3 Change management can help prevent the issue of utility installation affecting the web server cluster by ensuring that the utility is properly planned, tested, approved, documented, communicated, and monitored.

The piece of code in the XML file is an example of a command injection attack, which is a type of attack that exploits insufficient input validation or output encoding to execute arbitrary commands on a server or system2 The attacker can inject malicious commands into an XML element that is processed by an XML handler on the server, and cause the server to execute those commands. The best solution to mitigate this type of attack is to implement a better level of user input filters and content sanitization, which means checking and validating any user input before processing it, and removing or encoding any potentially harmful characters or commands.

 A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on security incidents and events. A security analyst can create a custom rule on a SIEM system to automate the incident response process for malware infections. For example, the analyst can create a rule that triggers an alert email when the SIEM system detects logs that match the criteria of malware infection, such as process name, file name, file hash, etc. The alert email can be sent within 30 minutes or any other desired time frame. The other options are not suitable or sufficient for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15; https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-management-siem-implementation-33969

These steps are the best to confirm and respond to the incident because they preserve the state of the compromised server for further analysis and evidence collection. Pausing the virtual machine prevents any further changes or damage by the attacker, while taking a snapshot creates a copy of the virtual machine’s memory and disk contents.

The security analyst should set up a PKI (Public Key Infrastructure) between Company A and Company B and exchange shared certificates between the two entities. This will allow them to establish a more automated approach to secure data transfers between their ERP systems. A PKI is a system that provides encryption and authentication services using public key cryptography. A PKI consists of certificates, certificate authorities (CAs), and other components that enable users to securely exchange data over untrusted networks. By exchanging shared certificates between Company A and Company B, they can verify each other’s identity and encrypt their data using public and private keys.

A tabletop scenario is an informal, discussion-based session in which a team discusses their roles and responses during an emergency, walking through one or more example scenarios. A tabletop scenario is the best approach for a company that wants to test a new incident response plan without impacting the environment or using many resources. A tabletop scenario can help the company identify strengths and weaknesses in their plan, clarify roles and responsibilities, and improve communication and coordination among team members. The other options are more intensive and disruptive exercises that involve simulating a real incident or attack. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 16; https://www.linkedin.com/pulse/tabletop-exercises-explained-matt-lemon-phd

The correct answer is C. Detection and monitoring. Detection and monitoring is a function that involves collecting, analyzing, and correlating data from various sources, such as threat feeds, logs, alerts, or events, to identify and respond to potential or ongoing threats. Detection and monitoring can help the organization to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams, such as security operations center (SOC) analysts, incident responders, or threat hunters. Detection and monitoring can also help the organization to leverage the intelligence to enrich security event data, such as adding context, severity, or priority to the events1.

A. Vulnerability management is not correct. Vulnerability management is a function that involves identifying, assessing, and mitigating the weaknesses or flaws in systems, applications, or networks that could be exploited by attackers. Vulnerability management can help the organization to reduce its attack surface and prevent potential breaches, but it does not directly involve consuming multiple threat feeds simultaneously or providing actionable intelligence to various teams.

B. Risk management is not correct. Risk management is a function that involves identifying, analyzing, and evaluating the risks that could affect the organization’s assets, operations, or objectives. Risk management can help the organization to prioritize and implement appropriate controls or mitigation strategies to reduce the likelihood or impact of the risks, but it does not directly involve consuming multiple threat feeds simultaneously or providing actionable intelligence to various teams.

D. Incident response is not correct. Incident response is a function that involves preparing for, detecting, containing, analyzing, and recovering from security incidents that compromise the confidentiality, integrity, or availability of the organization’s assets or operations. Incident response can help the organization to minimize the damage and restore normal operations as quickly as possible, but it does not directly involve consuming multiple threat feeds simultaneously or providing actionable intelligence to various teams.

1: Cybersecurity Analyst+ - CompTIA

Anti-tamper is a process that protects a system or device from unauthorized changes or modifications. It can also log and report any attempts to alter the system or device. The company is using anti-tamper to ensure the appliance is not altered from its original configured state. CI/CD, software assurance, and change management are not processes that specifically deal with unauthorized changes. Reference: https://www.acq.osd.mil/se/briefs/16943-DoD-AT-Overview-Brief.pdf

The CySA+ exam outline calls out “trusted firmware updates,” but trusted firmware itself is more commonly described as part of trusted execution environments (TEEs). Trusted firmware is signed by a chip vendor or other trusted party, and then used to access keys to help control access to hardware. TEEs like those used by ARM processors leverage these technologies to protect the hardware by preventing unsigned code from using privileged features."

Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices. Embedded devices are devices that have a dedicated function and are part of a larger system or network, such as routers, cameras, sensors, etc. Embedded devices often run on firmware, which is a type of software that controls the device’s hardware and functionality. Firmware updates are essential for improving the performance, security, and reliability of embedded devices. However, firmware updates also pose risks of introducing vulnerabilities or malware into the devices if they are not properly secured. Trusted firmware updates are firmware updates that use cryptographic techniques to ensure the integrity, authenticity, and confidentiality of the firmware code and data. Trusted firmware updates typically involve four steps1:

Code signing: The firmware code is digitally signed by the firmware developer or provider using a private key. The digital signature proves that the firmware code is from a trusted source and has not been tampered with.

Distribution: The signed firmware code is securely transmitted to the embedded device or a trusted intermediary (such as a cloud service or a gateway) using encryption or other methods. The transmission ensures that the firmware code is not intercepted or modified by unauthorized parties.

Installation: The embedded device verifies the digital signature of the firmware code using a public key that is stored in a secure location (such as a trusted platform module or TPM). The verification ensures that the firmware code is from a trusted source and has not been tampered with. The embedded device then installs the firmware code and reboots to apply the update.

Attestation: The embedded device reports its firmware status and configuration to a trusted verifier (such as a cloud service or a gateway) using a cryptographic proof. The proof ensures that the embedded device has installed the correct firmware update and has not been compromised.

Trusted firmware updates provide organizations with several benefits for hardware assurance, such as2:

Preventing unauthorized or malicious firmware updates that could compromise the security or functionality of embedded devices

Detecting and mitigating firmware attacks or incidents that could affect the availability or performance of embedded devices

Complying with regulatory or industry standards or best practices for firmware security

Enhancing customer trust and satisfaction with embedded devices

Trusted firmware updates do not provide organizations with development, compilation, remote access, or customization for embedded devices (A), as these are software engineering tasks that are not directly related to firmware security. Trusted firmware updates do not provide organizations with security specifications, open-source libraries, or custom tools for embedded devices (B), as these are software resources that are not directly related to firmware security. Trusted firmware updates do not provide organizations with remote code execution, distribution, maintenance, or extended warranties for embedded devices ©, as these are software features or services that are not directly related to firmware security.

References: 1: https://www.techopedia.com/definition/24771/technical-controls  2: https://www.techopedia.com/definition/25888/security-development-lifecycle-sdl

The most secure states for the certificate authority server when it is not in use are powered off and air gapped. Powering off the server will prevent any unauthorized access or tampering with the server while it is idle. Air gapping the server will isolate it from any network connections, making it inaccessible to remote attackers or malware. These measures will help to protect the integrity and confidentiality of the certificate authority server and its keys.

PII stands for personally identifiable information, and it is any data that can be used to identify, contact, or locate a specific individual, such as name, address, phone number, email, social security number, or biometric data. PII data is considered critical because it can be used by attackers to commit identity theft, fraud, or other crimes. PII data is also subject to various laws and regulations that require organizations to protect it from unauthorized access, use, or disclosure1.

Modbus is a communication protocol that is widely used in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. However, Modbus was not designed to provide security and it is vulnerable to various cyberattacks. One of the main vulnerabilities of Modbus is the lack of authentication, which means that any device on the network can send or receive commands without verifying its identity or authority. This can lead to unauthorized access, data manipulation, or denial of service attacks on the ICS or SCADA system.

Some examples of attacks that exploit the lack of authentication in Modbus are:

Detection attack: An attacker can scan the network and discover the devices and their addresses, functions, and registers by sending Modbus requests and observing the responses. This can reveal sensitive information about the system configuration and operation1.

Command injection attack: An attacker can send malicious commands to the devices and modify their settings, values, or outputs. For example, an attacker can change the speed of a motor, open or close a valve, or turn off a switch23.

Response injection attack: An attacker can intercept and alter the responses from the devices and deceive the master or other devices about the true state of the system. For example, an attacker can fake a normal response when there is an error or an alarm23.

Denial of service attack: An attacker can flood the network with Modbus requests or commands and overload the devices or the communication channel. This can prevent legitimate requests or commands from being processed and disrupt the normal operation of the system14.

To mitigate these attacks, some security measures that can be applied to Modbus are:

Encryption: Encrypting the Modbus messages can prevent eavesdropping and tampering by unauthorized parties. However, encryption can also introduce additional overhead and latency to the communication56.

Authentication: Adding authentication mechanisms to Modbus can ensure that only authorized devices can send or receive commands. Authentication can be based on passwords, certificates, tokens, or other methods56.

Firewall: Installing a firewall between the Modbus network and other networks can filter out unwanted traffic and block unauthorized access. A firewall can also enforce rules and policies for Modbus communication24.

Intrusion detection system: Deploying an intrusion detection system (IDS) on the Modbus network can monitor the traffic and detect anomalous or malicious activities. An IDS can also alert the operators or trigger countermeasures when an attack is detected24.

data exfiltration is the unauthorized transfer of data from an organization’s network to an external destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud indicates a possible command and control channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating that large amounts of data are being collected and compressed before being exfiltrated.