CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Free Practice Exam Questions (2025 Updated)

Dynamic analysis is a method for end-to-end vulnerability assessment that involves testing an application while it is running, by simulating user inputs, network traffic, or environmental conditions. Dynamic analysis can help identify security issues that may arise from the interaction between different components of the application, such as logic flaws, input validation errors, or session management weaknesses.

A security orchestration, automation, and response (SOAR) system is a solution that combines various security technologies and workflows to identify security issues, prioritize their severity, and automate a response. A SOAR system can help an organization consolidate its security tools and processes and standardize its workflow for incident response. The other options are not relevant or comprehensive for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15; https://www.gartner.com/en/information-technology/glossary/security-orchestration-automation-and-response-soar

Creating a data minimization plan would be the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Data minimization is a principle that states that organizations should collect, store, process, and retain only the minimum amount of personal data that is necessary for their legitimate purposes. Data minimization can help reduce the risk of data breaches, data leaks, or data misuse by limiting the exposure and access to sensitive data. Data minimization can also help comply with data protection regulations, such as the General Data Protection Regulation (GDPR), that require organizations to justify their data collection and processing activities. Data minimization can be achieved by implementing various measures, such as deleting or anonymizing unnecessary data, applying retention policies, or using encryption or pseudonymization techniques.

SSO stands for Single Sign-On, and it is a technology that allows users to authenticate once and access multiple applications or systems without entering their credentials again. SSO can help streamline each employee’s authentication, by reducing the number of passwords they have to remember or enter, and improving their user experience and productivity.

Setting up a warm disaster recovery site with the same cloud provider in a different region can help to achieve a recovery time objective (RTO) of 12 hours while keeping the costs low. A warm disaster recovery site is a partially configured site that has some of the essential hardware and software components ready to be activated in case of a disaster. A warm site can provide faster recovery than a cold site, which has no preconfigured components, but lower costs than a hot site, which has fully configured and replicated components. Using the same cloud provider can help to simplify the migration and synchronization processes, while using a different region can help to avoid regional outages or disasters .

The laptop of the vice president that is on the corporate LAN should be investigated first. According to the CompTIA CySA+ Certification Exam (CS0-002) study guide, when prioritizing security alerts, the analyst should prioritize assets based on the potential impact of a successful attack or compromise. Therefore, the laptop of the vice president, which is connected to the corporate LAN, should be investigated first, as it has the highest potential impact.

The correct answer is B. Document exceptions with compensating controls to demonstrate the risk mitigation efforts. Compensating controls are alternative or additional controls that are implemented when the primary or required controls are not feasible or effective. Compensating controls can help to reduce the risk to an acceptable level and satisfy the regulatory requirements, as long as they are documented and justified1.

A. Manually review the baselines daily and document the results in a change history log is not correct. This option would not prevent the recurrence of the problem, as it does not address the root cause of why the remote units did not recover after scans were performed. Moreover, this option would create an unsustainable process, as it would require a lot of time and resources to manually review and document the baselines of all assets on a daily basis.

C. Implement a new scanning technology to satisfy the monitoring requirement and train the team is not correct. This option would not guarantee that the problem would not recur, as it is possible that the new scanning technology would also cause issues with the remote units or other assets. Furthermore, this option would incur additional costs and efforts to acquire, deploy, and maintain the new scanning technology and train the team on how to use it.

D. Purchase new remote units from other vendors with a proven ability to support scanning requirements is not correct. This option would not be feasible or cost-effective, as it would require replacing all the remote units with new ones from different vendors. This option would also introduce new risks and challenges, such as compatibility, interoperability, or vendor lock-in.

Port triggering is a technique that allows inbound traffic to access certain ports on a device only after an outbound traffic request has been made from those ports. It can enhance the security and performance of a device by opening ports only when needed and closing them when not in use. The output from the network enumeration activities shows that port 21 (FTP) and port 22 (SSH) are open only after port 80 (HTTP) has been accessed, which indicates that port triggering is most likely being used. A web application firewall, an intrusion prevention system, port isolation, or port address translation are other techniques that can affect network traffic, but they do not match the description of the output from the network enumeration activities. Reference: https://www.techopedia.com/definition/3846/port-triggering

The correct answer is C. eFUSE. An eFUSE is a type of electronic fuse that can be programmed to permanently alter the functionality or configuration of a chipset. An eFUSE can be used to prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset, by locking the firmware to a specific version or preventing unauthorized modifications. An eFUSE can also provide other benefits, such as anti-tampering, anti-counterfeiting, and device authentication1.

A. UEFI is not correct. UEFI stands for Unified Extensible Firmware Interface, and it is a standard that defines the software interface between an operating system and a platform firmware. UEFI can provide security features, such as secure boot, which verifies the integrity of the boot loader and prevents unauthorized code execution during the boot process. However, UEFI does not prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset2.

B. A hardware security module is not correct. A hardware security module (HSM) is a physical device that provides secure storage and processing of cryptographic keys and operations. An HSM can protect sensitive data and transactions, such as encryption, decryption, signing, or verification, from unauthorized access or tampering. However, an HSM does not prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset3.

D. Certificate signed updates are not correct. Certificate signed updates are a method of ensuring the authenticity and integrity of firmware updates by using digital certificates and signatures. Certificate signed updates can prevent malicious or corrupted firmware updates from being installed on the chipset, but they do not prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset.

1: What Is an eFUSE? 2: What Is UEFI? 3: What Is a Hardware Security Module (HSM)?

The analyst should check if temporary files are being monitored first to respond to the issue. Temporary files are files that are created and used by applications for various purposes, such as storing data temporarily or caching data for faster access. However, temporary files are not meant to be permanent and are usually deleted when they are no longer needed or when the application is closed. Therefore, monitoring temporary files can generate many alerts from the file-integrity monitoring tool that are not relevant or useful for security purposes. The analyst should check if temporary files are being monitored and exclude them from the monitoring scope to reduce the number of alerts and focus on the files that should not change.

Building the chain-of-custody document is the procedure that must be completed first for this type of evidence acquisition. The chain-of-custody document is a record that tracks the handling and custody of digital evidence from the time it is collected until it is presented in court. The chain-of-custody document should include information such as the media model, serial number, size, vendor, date, and time of acquisition, as well as the names and signatures of the persons who handled, transferred, or examined the evidence. The chain-of-custody document helps to preserve the integrity and admissibility of the evidence by preventing tampering, alteration, or loss1.

The correct answer is D. Use a VPN to access the company’s data in the home office and keep the current solution for the business applications. A virtual private network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the internet. A VPN can allow users to access resources on a remote network, such as a server, as if they were on the same local network. A VPN can provide shared access from the remote office to the company’s data in the home office, while maintaining security and privacy1.

An eFuse, or electronic fuse, is a microscopic fuse put into a computer chip that can be blown by applying a high voltage or current. Once blown, an eFuse cannot be reset or repaired, and its state can be read by software or hardware2 An eFuse can be used by a hardware manufacturer to prevent firmware downgrades on a system-on-chip (SoC) that will be used by mobile devices. An eFuse can store information such as the firmware version, security level, or device configuration on the chip. When a newer firmware is installed, an eFuse can be blown to indicate the update and prevent reverting to an older firmware. This can help protect the device from security vulnerabilities, compatibility issues, or unauthorized modifications.

The server violates the policy of no network access to the internet because it has an established connection to an external IP address (216.58.194.174) on port 443, which is used for HTTPS traffic. This indicates that the server is communicating with a web server on the internet, which is not allowed by the policy. The other policies are not violated because SSH is only used for management of the server (not for accessing other devices), users are utilizing their own accounts (not logging in as an administrator), and unnecessary services are not enabled (only SSH and HTTPS are running). References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://en.wikipedia.org/wiki/Jump_server

Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected1 Data sovereignty issues can impact organizational initiatives that involve transferring or storing data across different jurisdictions, such as moving to a cloud-based environment. Cloud computing involves using remote servers and networks to store and process data, which may be located in different countries or regions with different data protection laws and regulations2 This can create challenges for organizations that need to comply with data sovereignty requirements of their own country or their customers’ countries, such as data localization, data access, data security, data breach notification, etc3

References: 1 Data sovereignty - Wikipedia 2 What Is Data Sovereignty? Everything You Need to Know - Permission.io 3 What is data sovereignty? - IONOS

The security analyst should review the known Apache vulnerabilities to determine if a compromise actually occurred. The SIEM alert indicates that an IDS signature detected an attempt to exploit a vulnerability in Apache Struts 2 (CVE-2017-5638), which allows remote code execution via a crafted Content-Type header4. The packet capture and TCP stream show that the attacker sent a malicious request with a Content-Type header containing an OGNL expression that executes the command “whoami” on the target server. However, this does not necessarily mean that the attack was successful, as it depends on whether the target server was running a vulnerable version of Apache Struts 2 or not. Therefore, the security analyst should review the known Apache vulnerabilities and compare them with the version of Apache Struts 2 running on the server to confirm if a compromise actually occurred or not.

 Cryptomining malware, or cryptojacking, is a type of malware that hides on a device and uses its computing resources to mine for valuable online currencies like Bitcoin. Cryptomining malware can cause performance issues, increased energy consumption, overheating, or hardware damage1 The analyst encountered cryptomining malware on the web server, as indicated by the following signs:

The analyst was unable to log in remotely or on the console, as the malware blocked access to prevent detection or removal.

The console messages showed that the server was running out of memory and CPU resources, as the malware consumed all available resources for mining.

The network captures showed many packets with a signature of “Stratum”, which is a protocol used for communication between miners and mining pools2

The best step for the analyst to take next is to reboot the server and disable any cron jobs or startup scripts that start the mining software. This can help stop the mining activity and restore access to the server. The analyst should also scan the server for any other traces of malware and remove them.

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of users within an organization. RBAC assigns permissions and privileges to roles, rather than individual users, and grants access based on the principle of least privilege3 RBAC can help mitigate the risk of privilege escalation attacks on SCADA devices by ensuring that only authorized users have access to SCADA administration and management functions, and that they have the minimum level of access required to perform their tasks.

Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the target systems and perform a more thorough and accurate assessment of their security posture. Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access more information and resources on the systems, such as configuration files, registry keys, installed software, patches, and permissions .