comptia cs0-001 practice test
CompTIA CSA+ Certification Exam
Question 1
Which of the following principles describes how a security analyst should communicate during an incident?
- A. The communication should be limited to trusted parties only.
- B. The communication should be limited to security staff only.
- C. The communication should come from law enforcement.
- D. The communication should be limited to management only.
Answer:
A
Question 2
Which of the following has the GREATEST impact to the data retention policies of an organization?
- A. The CIA classification matrix assigned to each piece of data
- B. The level of sensitivity of the data established by the data owner
- C. The regulatory requirements concerning the data set
- D. The technical constraints of the technology used to store the data
Answer:
D
Question 3
A cybersecurity analyst is reviewing Apache logs on a web server and finds that some logs are missing. The analyst has
identified that the systems administrator accidentally deleted some log files. Which of the following actions or rules should be
implemented to prevent this incident from reoccurring?
- A. Personnel training
- B. Separation of duties
- C. Mandatory vacation
- D. Backup server
Answer:
D
Question 4
A SIEM alert occurs with the following output:
Which of the following BEST describes this alert?
- A. The alert is a false positive; there is a device with dual NICs
- B. The alert is valid because IP spoofing may be occurring on the network
- C. The alert is a false positive; both NICs are of the same brand
- D. The alert is valid because there may be a rogue device on the network
Answer:
B
Question 5
An organization has recently experienced a data breach. A forensic analysis confirmed the attacker found a legacy web
server that had not been used in over a year and was not regularly patched. After a discussion with the security team,
management decided to initiate a program of network reconnaissance and penetration testing. They want to start the
process by scanning the network for active hosts and open ports. Which of the following tools is BEST suited for this job?
- A. Ping
- B. Nmap
- C. Netstat
- D. ifconfig
- E. Wireshark
- F. L0phtCrack
Answer:
B
Question 6
A security analyst wants to confirm a finding from a penetration test report on the internal web server. To do so, the analyst
logs into the web server using SSH to send the request locally. The report provides a link to
https://hrserver.internal/../../etc/passwd, and the server IP address is 10.10.10.15.
However, after several attempts, the analyst cannot get the file, despite attempting to get it using different ways, as shown
below.
Which of the following would explain this problem? (Choose two.)
- A. The web server uses SNI to check for a domain name
- B. Requests can only be sent remotely to the web server
- C. The password file is write protected
- D. The web service has not started
- E. There is no local name resolution for hrserver internal.
Answer:
A
Question 7
An organization has two environments: development and production. Development is where applications are developed with
unit testing. The development environment has many configuration differences from the production environment. All
applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any
application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production
applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability
management process?
- A. Create a third environment between development and production that mirrors production and tests all changes before deployment to the users
- B. Refine testing in the development environment to include fuzzing and user acceptance testing so applications are more stable before they migrate to production
- C. Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate users to the alternate production environment
- D. Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities
Answer:
A
Question 8
An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to
identify the content of the traffic?
- A. Log review
- B. Service discovery
- C. Packet capture
- D. DNS harvesting
Answer:
C
Question 9
An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure
functions. Which of the following technologies meet the compatibility requirement? (Choose three.)
- A. 3DES
- B. AES
- C. IDEA
- D. PKCS
- E. PGP
- F. SSL/TLS
- G. TEMPEST
Answer:
B D F
Question 10
The security team for a large, international organization is developing a vulnerability management program. The
development staff has expressed concern that the new program will cause service interruptions and downtime as
vulnerabilities are remedied.
Which of the following should the security team implement FIRST as a core component of the remediation process to
address this concern?
- A. Automated patch management
- B. Change control procedures
- C. Security regression testing
- D. Isolation of vulnerable servers
Answer:
C
Question 11
While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity from a foreign domain
known to have well-funded groups that specifically target the companys R&D department. Historical data reveals other
corporate assets were previously targeted. This evidence MOST likely describes:
- A. an APT.
- B. DNS harvesting.
- C. a zero-day exploit.
- D. corporate espionage.
Answer:
A
Question 12
A cybersecurity analyst is hired to review the security measures implemented within the domain controllers of a company.
Upon review, the cybersecurity analyst notices a brute force attack can be launched against domain controllers that run on a
Windows platform. The first remediation step implemented by the cybersecurity analyst is to make the account passwords
more complex.
Which of the following is the NEXT remediation step the cybersecurity analyst needs to implement?
- A. Disable the ability to store a LAN manager hash.
- B. Deploy a vulnerability scanner tool.
- C. Install a different antivirus software.
- D. Perform more frequent port scanning.
- E. Move administrator accounts to a new security group.
Answer:
E
Question 13
Given the following output from a Linux machine:
file2cable i eth0 -f file.pcap
Which of the following BEST describes what a security analyst is trying to accomplish?
- A. The analyst is attempting to measure bandwidth utilization on interface eth0.
- B. The analyst is attempting to capture traffic on interface eth0.
- C. The analyst is attempting to replay captured data from a PCAP file.
- D. The analyst is attempting to capture traffic for a PCAP file.
- E. The analyst is attempting to use a protocol analyzer to monitor network traffic.
Answer:
E
Question 14
A corporation employs a number of small-form-factor workstations and mobile devices, and an incident response team is
therefore required to build a forensics kit with tools to support chip-off analysis. Which of the following tools would BEST
meet this requirement?
- A. JTAG adapters
- B. Last-level cache readers
- C. Write-blockers
- D. ZIF adapters
Answer:
A
Question 15
A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability
scan:
Which of the following is MOST likely a false positive?
- A. ICMP timestamp request remote date disclosure
- B. Windows SMB service enumeration via \srvsvc
- C. Anonymous FTP enabled
- D. Unsupported web server detection
Answer:
B