CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Free Practice Exam Questions (2025 Updated)

A daemon is a program that runs in the background on a system and performs certain tasks or services without user intervention. A daemon’s binary is the executable file that contains the code and instructions for the daemon to run. The server log shows that the daemon’s binary was changed on Aug 1 2020 at 00:00:01 by an unknown user with UID 0 (root). This is the greatest security concern, because it could indicate that an attacker has gained root access to the system and modified the daemon’s binary with malicious code that could compromise the system’s security or functionality. Four consecutive days of monitoring being skipped in the log, the process identifiers for the running service changing, or the PIDs continuously changing are not security concerns, but rather normal events that could occur due to system maintenance, updates, restarts, or scheduling. Reference: https://www.linux.com/training-tutorials/what-are-linux-daemons/

This is the technique that the analyst should use to analyze the increase in failed login attempts on the network. Event correlation is a process that analyzes multiple events or logs from different sources and identifies patterns, relationships, or causal links between them. Event correlation can help reveal the root cause, scope, impact, and sequence of a security incident.

Implementing input validation is the best way to locate and prevent the issue of manipulation of the public-facing web form used by customers to order products. Input validation is a technique that checks and filters any user input that is sent to an application before processing it. Input validation can help to ensure that the user input conforms to the expected format, length and type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the application. Input validation can also reject or sanitize any input that does not meet the validation criteria .

Memory cache and swap volume are types of media that are most volatile and should be preserved during a digital forensics investigation. Volatile media are those that store data temporarily and lose their contents when the power is turned off or interrupted. Memory cache is a small and fast memory that stores frequently used data or instructions for faster access by the processor. Swap volume is a part of the hard disk that is used as an extension of the memory when the memory is full or low .

Lessons learned is a critical stage of incident response that involves evaluating the effectiveness of the response, identifying gaps and areas for improvement, and updating the incident response plan accordingly1. Company leadership should be involved in this process to ensure they are aware of the incident, its impact, and the actions taken to prevent or mitigate future incidents. Additionally, company leadership can provide support and guidance for implementing the recommendations from the lessons learned session2.

The correct answer is B. The analyst should block requests to no-thanks.invalid. The log snippet shows a DNS query from host 192.168.1.67 to the public resolver 8.8.8.8 for the domain name no-thanks.invalid, which is resolved to the IP address 102.100.20.20. This is a possible indicator of compromise (IOC), as no-thanks.invalid is a known malicious domain that is used by attackers to exfiltrate data or execute commands on compromised hosts1. The analyst should block requests to this domain to prevent further communication with the attacker’s server and investigate the host 192.168.1.67 for signs of infection.

A. The analyst should disable DNS recursion is not correct. DNS recursion is a process where a DNS server queries other DNS servers on behalf of a client until it finds the authoritative answer for a domain name2. Disabling DNS recursion would prevent the DNS server from resolving any domain names that are not in its cache or zone files, which would affect the normal functionality of the network and the internet access of the clients.

C. The analyst should disconnect host 192.168.1.67 is not correct. Disconnecting host 192.168.1.67 would stop the communication with the malicious domain, but it would also disrupt the legitimate activities of the host and its user. Moreover, disconnecting the host would not remove the malware or root cause of the compromise, and it would not prevent the host from reconnecting to the malicious domain once it is online again.

D. The analyst should sinkhole 102.100.20.20 is not correct. Sinkholing is a technique that redirects malicious or unwanted traffic to a controlled destination, such as a fake or isolated server3. Sinkholing 102.100.20.20 would prevent the communication with the malicious domain, but it would also require access and control over the public resolver 8.8.8.8, which is not owned or managed by the analyst or the company.

E. The analyst should disallow queries to the 8.8.8.8 resolver is not correct. Disallowing queries to the 8.8.8.8 resolver would prevent the communication with the malicious domain, but it would also affect the resolution of other legitimate domain names that are not in the local DNS server’s cache or zone files.

1: DNS Tunneling: how DNS can be (ab)used by malicious actors 2: What Is DNS Recursion? 3: What Is a Sinkhole Attack?

Data auditing is the most essential and effective method to protect PII from an insider threat. Data auditing is the process of monitoring and recording the activities and events related to data access and usage. Data auditing can help detect and prevent any suspicious or anomalous behavior by an insider threat who tries to access or manipulate PII.

Data auditing can provide several benefits for data protection, such as:

It can provide accountability and transparency for data access and usage, which can deter potential insider threats from abusing their privileges or violating policies.

It can provide evidence and traceability for data incidents, which can help investigate and respond to data breaches or leaks by insider threats.

It can provide feedback and insights for data security improvement, which can help identify and address any gaps or weaknesses in data protection measures.

Data auditing can be done by using tools such as logs, alerts, reports, or dashboards. These tools can help security analysts track and analyze data activity and identify any patterns or anomalies that indicate a possible insider threat.

A blacklist is a list of domains, IP addresses, email addresses, or other identifiers that are known or suspected to be malicious or harmful. A blacklist can be used to block or filter unwanted or dangerous traffic from reaching a network or system2 Updating the blacklist can help prevent phishing campaigns by adding the domains or email addresses of the phishing sources to the list and preventing them from sending emails to the company’s employees.

Third-party assessment. A third-party assessment is a process that explores the risk posed to your organization by third-party vendors along the supply chain. This process evaluates the likelihood that your business is exposed to different third-party risks such as compliance risk, operational risk, financial risk, security risk and cybersecurity risk1.

A third-party assessment can help the CSO gain a better understanding of the prospective company’s cybersecurity posture by:

Providing an independent and objective evaluation of the vendor’s security policies, controls, and practices.

Identifying any gaps or weaknesses in the vendor’s security posture that could compromise your organization’s data, systems, or reputation.

Recommending actions or improvements to mitigate or reduce the identified risks and enhance the vendor’s security performance.

A third-party assessment can also help the CSO identify risks in the supply chain by:

Mapping and tracing the data flow and dependencies among the vendor and its subcontractors or suppliers.

Assessing how the vendor and its subcontractors or suppliers safeguard data and comply with relevant regulations and standards.

Detecting any signs of malicious or negligent behavior by the vendor or its subcontractors or suppliers that could harm your organization or its customers.

Investing in a failover and redundant system, as necessary, is the best solution to improve the availability of the organization’s systems based on past incidents. A failover system is a backup system that automatically takes over the operation of a primary system in case of a failure or outage. A redundant system is a duplicate system that runs simultaneously with the primary system and provides backup functionality if needed. Investing in a failover and redundant system can help to ensure that the organization’s systems are always available and can handle the workload without interruption or degradation .

A security analyst is reviewing the network security monitoring logs listed below and is most likely observing that 10.1.1.129 sent potential malicious requests to the web server and that 10.1.1.130 can potentially obtain information about the PHP version. The logs show that 10.1.1.129 sent two requests to the web server with suspicious parameters, such as “union select” and “or 1=1”, which are commonly used for SQL injection attacks. The logs also show that 10.1.1.130 sent a request to the web server with a parameter “phpinfo”, which is a function that displays information about the PHP configuration and environment, which can be useful for attackers to find vulnerabilities or exploit them. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 8; https://owasp.org/www-community/attacks/SQL_Injection; https://www.php.net/manual/en/function.phpinfo.php

Threat hunting is a proactive process of searching for signs of malicious activity or compromise within a system or network, by using hypotheses, indicators of compromise, and analytical tools. Threat hunting can help improve detection capabilities by identifying unknown threats, uncovering gaps in security controls, and providing insights for remediation and prevention. Vulnerability scanning (A) is a reactive process of scanning systems or networks for known vulnerabilities or weaknesses that can be exploited by attackers. It can help identify and prioritize vulnerabilities, but not proactively hunt for threats. Red teaming © is a simulated attack on a system or network by a group of ethical hackers who act as adversaries and try to breach security controls. It can help test the effectiveness of security defenses and response capabilities, but not proactively hunt for threats. Penetration testing (D) is similar to red teaming, but with a more defined scope and objective. It can help evaluate the security of a system or network by simulating real-world attacks and exploiting vulnerabilities, but not proactively hunt for threats.

References: : https://www.techopedia.com/definition/33297/threat-hunting : https://www.techopedia.com/definition/4160/web-application-security-scanner-was : https://www.techopedia.com/definition/32694/red-teaming : https://www.techopedia.com/definition/13493/penetration-testing

SaaS stands for Software as a Service, which is a cloud model that allows users to access software applications over the internet without installing or maintaining them on their own devices. SaaS will allow all data to be kept on the third-party network, because the software applications and the data they generate or process are stored on the cloud provider’s servers. VDI, CASB, and FaaS are other terms related to cloud computing or security, but they do not match the description of keeping all data on the third-party network. Reference: https://www.ibm.com/cloud/learn/software-as-a-service

In this scenario, the issue is related to manipulation of the public-facing web form, indicating that attackers might be altering the prices before submitting the form. One of the best ways to prevent such attacks is to implement input validation, which can help ensure that the data submitted to the web form is correct, complete, and in the expected format. Input validation can also help prevent SQL injection and other types of web-based attacks.

This line from the output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key, as it represents a weak cipher suite that uses an outdated encryption algorithm, a small key size, and no forward secrecy. A cipher suite is a combination of cryptographic algorithms and parameters that are used to establish a secure communication channel between two parties. The cipher suite in this line consists of four components: TLS_RSA_WITH_DES_CBC_SHA 56.

TLS stands for Transport Layer Security, and it is a protocol that provides security and privacy for network communications.

RSA stands for Rivest-Shamir-Adleman, and it is an algorithm that uses public-key cryptography for key exchange and authentication.

DES stands for Data Encryption Standard, and it is an algorithm that uses symmetric-key cryptography for data encryption.

CBC stands for Cipher Block Chaining, and it is a mode of operation that encrypts each block of data by XORing it with the previous ciphertext block.

SHA stands for Secure Hash Algorithm, and it is an algorithm that produces a fixed-length hash value from any input data.

56 stands for the key size in bits, which indicates how strong or secure the encryption is.

The cipher suite in this line is weak because:

DES is an outdated encryption algorithm that has been broken by brute force attacks, as it has a small key size of 56 bits, which can be easily guessed by modern computers.

RSA does not provide forward secrecy, which means that if the RSA private key is compromised, all past and future communications encrypted with that key can be decrypted by an attacker.

SHA is also an outdated hash algorithm that has been replaced by newer versions such as SHA-2 or SHA-3, as it has some vulnerabilities and weaknesses.

Authentication is a method of verifying a user’s identity by requiring some piece of evidence, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., fingerprint). Authentication is the best method to prevent unauthorized use of an API, because it ensures that only legitimate users can access or use the API functions or data. HTTPS, geofencing, or rate limiting are other methods that can enhance the security or performance of an API, but they do not prevent unauthorized use of an API. Reference: https://www.redhat.com/en/topics/api/what-is-api-security

Resource exhaustion is most likely occurring on the server. Resource exhaustion is a condition where a system runs out of resources, such as CPU, memory, disk space, or network bandwidth, due to excessive demand or consumption by one or more processes. Resource exhaustion can cause performance degradation, system instability, or denial-of-service. The server statistics show that the CPU usage is 100%, the memory usage is 99%, and the disk usage is 98%. These indicate that the server is under heavy load and has little or no resources available to handle incoming requests or perform other tasks.

UEBA stands for User and Entity Behavior Analytics, which is a category of security products that use machine learning and statistical analysis to identify malicious actions by users or entities on a network. UEBA products can detect anomalous or suspicious behaviors that deviate from normal patterns or baselines, such as data exfiltration, privilege escalation, unauthorized access, insider threats, or compromised accounts. UEBA products can also provide alerts, reports, or recommendations for response actions based on the detected behaviors.

Static analysis of the code is a technique that scans the source code or the compiled code of an application without executing it, to identify potential vulnerabilities, errors, or bugs. Static analysis can help uncover all the software vulnerabilities, safeguard the interest of the software’s end users, reduce the likelihood that a defective program will enter production, and preserve the interests of the software producer by improving the quality and security of the code before it is deployed or run1