CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Free Practice Exam Questions (2025 Updated)

Prowler is a tool that can scan AWS environments for security issues and compliance violations. The Prowler report shows that there are two access keys for CloudDev user: access key 1 and access key 2. Access key 1 has not been used in more than 90 days, which violates the AWS CIS benchmark 1.4 (Ensure access keys are rotated every 90 days or less). Therefore, the best recommendation is to delete access key 1 and use access key 2 instead. Deleting CloudDev access key 1, deleting BusinessUsr access key 1, or deleting access key 2 are not appropriate recommendations based on the Prowler report. Reference: https://github.com/toniblyx/prowler

According to the CompTIA CySA+ (CS0-002) best practices, the most useful information data points to provide to the security manager for communicating the risk factors to senior management are the impact and adversary capability. The impact refers to the potential consequences of a successful attack or exploitation of a vulnerability, such as data loss or system compromise. The adversary capability refers to the ability of an attacker to exploit a vulnerability, including their technical expertise and resources. Together, these data points help to provide a complete picture of the risk associated with a vulnerability, and allow senior management to make informed decisions regarding risk mitigation and remediation. The other data points, such as probability, attack vector, classification, and indicators of compromise, can also be valuable, but the impact and adversary capability are considered the most critical for prioritizing risk mitigation efforts.

A retinal scan is a biometric authentication method that uses the unique pattern of blood vessels in the retina to verify a person’s identity. It is considered a strong and reliable authentication method that would enhance the datacenter’s security. A physical key, a passphrase, or a fingerprint are other authentication methods, but they are not as secure or reliable as a retinal scan. Reference: https://www.techopedia.com/definition/2586/retinal-scan

The suspicious event was able to accomplish establishing persistence by creating a registry change that runs a command shell process every time a user logs on. The registry change modifies the Userinit value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key, which specifies what programs should run when a user logs on to Windows. By appending “cmd.exe,” to the existing value, the event ensures that a command shell process will be launched every time a user logs on, which can allow the attacker to maintain access to the system or execute malicious commands. The other options are not related to the registry change. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/win32/sysinfo/userinit-entry

The analyst decided to include a custom lookup for these files on the endpoint’s log-in script as a mechanism to improve existing detection capabilities, by checking if any of these files are present on the endpoints during log-in. This can help identify any compromised endpoints that may have been infected by the zero-day vulnerability, and alert the analyst for further investigation or response.

Implementing privileged access management (PAM) would be the best countermeasure to prevent the loss of customers’ sensitive data due to a rise in cyberattackers seeking PHI (Protected Health Information). PAM is a solution that helps to control and monitor the access and use of privileged accounts, such as administrator or root accounts, that have elevated permissions or access to sensitive data. PAM can help prevent unauthorized or accidental use of privileged accounts by enforcing strict access policies, such as requiring approval, authentication, or auditing for each access request. PAM can also help rotate or expire the passwords of privileged accounts to reduce the risk of compromise2. PAM can help protect PHI from cyberattackers who may try to exploit privileged accounts to access or exfiltrate sensitive data.

Multifactor authentication is a method of verifying a user’s identity by requiring two or more pieces of evidence, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., fingerprint). Multifactor authentication is the best compensating control to help reduce authentication compromises when the organization’s enterprise password complexity rules are inadequate for its required security posture. Smart cards, biometrics, or increased password-rotation frequency are other possible controls, but they are not as effective or comprehensive as multifactor authentication. Reference: https://www.csoonline.com/article/3239144/what-is-multifactor-authentication-mfa-how-it-works-and-why-you-need-it.html

A breach notification is a communication to affected individuals or entities that informs them of a security incident involving their personal or sensitive information. A breach notification may include details such as what information was compromised, when and how the incident occurred, what actions are being taken to mitigate the impact, and what steps the recipients should take to protect themselves3 A breach notification may be required by law or regulation, depending on the type and location of the information involved and the jurisdiction of the affected parties. Different countries or regions may have different breach notification requirements, such as who must be notified, when, how, and what information must be disclosed4 Therefore, the best role to determine the breach notification requirements for a company that experienced a breach of sensitive information affecting customers across multiple geographical regions is legal counsel. Legal counsel can advise the company on its legal obligations and liabilities, as well as help draft and deliver appropriate breach notifications.

Processing and exploitation is the step in the intelligence cycle that involves converting raw data into a format that can be used for analysis and producing intelligence products that can be disseminated to consumers. The security analyst is performing this step by correlating, ranking, and enriching raw data into a report. Analysis and production, dissemination and evaluation, data collection, and planning and direction are other steps in the intelligence cycle, but they do not match the description of the security analyst’s task. Reference: https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/intelligence-cycle.html

Requiring the internet portal to be accessible from only the corporate SSO internet endpoint and requiring a smart card and PIN. This option provides the best MFA requirement because it uses two factors of authentication: something you have (smart card) and something you know (PIN). It also restricts access to the portal from a trusted source (corporate SSO internet endpoint).

What is the difference between VPN and VPC?

Just as a virtual private network (VPN) provides secure data transfer over the public Internet, a VPC provides secure data transfer between a private enterprise and a public cloud provider.

VPN (Virtual Private Network) is a technology that provides secure connectivity from the corporate network to a cloud environment. VPN creates an encrypted tunnel between the two networks, allowing developers to access servers in all three tiers of the cloud environment without exposing their traffic to interception or tampering. VPN can also provide authentication and authorization mechanisms to verify the identity and permissions of the developers.

Disabling the Telnet service would harden the server by removing an insecure protocol that transmits data in cleartext and could allow unauthorized access to the server. Changing the SSH port to a non-standard port would harden the server by reducing the exposure to brute-force attacks or port scans that target the default SSH port (22). Uninstalling the DNS service, performing a vulnerability scan, changing the server’s IP to a private IP address, or blocking port 80 with the host-based firewall would not harden the server or could affect its functionality as a web server. Reference: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Reverse engineering is the process of analyzing a binary file without executing it, by using tools such as disassemblers, debuggers, and decompilers. Reverse engineering can help identify the functionality, behavior, and purpose of a binary file, as well as any malicious code or vulnerabilities it may contain.

RBAC helps organizations manage access to critical infrastructure networks by assigning access based on roles. This allows organizations to control who can access specific resources and helps eliminate weak credentials that attackers could exploit. Manual reviews and endpoint detection and response can also help to mitigate risk, but role based access control is the best solution for this scenario.

An incident response plan should cover the most important and likely scenarios that could compromise the security and operations of an organization. According to various sources of best practices123, an incident response plan should start by conducting a risk assessment to identify potential threats and vulnerabilities, and prioritize the critical systems that need to be protected and restored in case of an incident. Focusing on incidents that affect critical systems ensures that the incident response plan covers the most severe and impactful situations that could harm the organization’s mission, reputation, or legal obligations.

Port 22 is the default port for Secure Shell (SSH), which is a protocol that allows remote access and administration of a server. If the server is dedicated to one function (web server) and unneeded services are disabled, then port 22 should be closed, because SSH is not necessary for a web server and could pose a security risk if exploited. Port 80, port 443, and port 1433 are ports that are needed for a web server, because they are used for HTTP, HTTPS, and SQL Server respectively. Reference: https://www.ssh.com/ssh/port

The testing is outside the contractual scope is the most dangerous to the client environment during a vulnerability assessment penetration test. A contractual scope defines the boundaries and limitations of the testing, such as the target systems, networks, applications, methods, techniques, tools, time frame, and deliverables. Testing outside the contractual scope can violate the agreement between the tester and the client and cause legal or ethical issues. Testing outside the contractual scope can also damage or disrupt the client environment by affecting systems, networks, applications, or data that are not authorized or intended for testing. Testing outside the contractual scope can also compromise the validity and reliability of the test results and recommendations. There is a longer period of time to assess the environment (A) is not necessarily dangerous to the client environment during a vulnerability assessment penetration test. A longer period of time can allow for more thorough and comprehensive testing and analysis of the vulnerabilities and risks in the client environment. However, a longer period of time can also increase the exposure and likelihood of detection by attackers or defenders. There is a shorter period of time to assess the environment © is also not necessarily dangerous to the client environment during a vulnerability assessment penetration test. A shorter period of time can reduce the exposure and likelihood of detection by attackers or defenders. However, a shorter period of time can also limit the depth and breadth of testing and analysis of the vulnerabilities and risks in the client environment. No status reports are included with the assessment (D) is not dangerous to the client environment during a vulnerability assessment penetration test. Status reports are documents that provide updates on the progress and findings of the testing to the client or stakeholders. Status reports can help to communicate effectively and transparently with the client or stakeholders and address any issues or concerns that may arise during the testing. However, status reports do not directly affect the client environment or its security.

Potential data loss to external users is a threat that applies to this situation, where the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Data loss is an event that results in the destruction, corruption, or unauthorized disclosure of sensitive or confidential data. Data loss can occur due to various reasons, such as human error, hardware failure, malware infection, or cyberattack. In this case, hosting an accounts receivable form on a public document service exposes the data to potential data loss to external users who may access it without authorization or maliciously modify or delete it .

 A sinkhole is a technique that redirects malicious network traffic to a controlled destination, such as a fake server or a black hole. A sinkhole can be used to stop malicious communications with a command-and-control server by preventing the malware from reaching its intended destination. A high entropy level means that the sinkhole can generate random domain names that match the changing domain name used by the malware for callback. Blocking TCP/443 at the edge router, disabling TCP/53 at the perimeter firewall, or configuring the DNS forwarders to use recursion are other possible actions that could stop malicious communications, but they could also disrupt legitimate services that use those protocols or settings. Reference: https://www.cisco.com/c/en/us/about/security-center/dns-sinkholing.html