CompTIA CompTIA CySA+ CS0-003 Questions & Answers

• Question 1:

  Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

  A. SLA

  B. MOU

  C. Best-effort patching

  D. Organizational governance

  Correct Answer: A

  An SLA is a formal agreement between two parties that defines the level of service, responsibilities, and expectations. It often includes specific terms related to the time frame within which certain actions or services must be performed. Requiring remediation of a known threat within a given time frame can be part of an SLA related to cybersecurity or incident response, ensuring that security issues are addressed promptly and effectively.

• Question 2:

  An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

  A. Identify and discuss the lessons learned with the prior analyst.

  B. Accept all findings and continue to investigate the next item target.

  C. Review the steps that the previous analyst followed.

  D. Validate the root cause from the prior analyst.

  Correct Answer: C

• Question 3:

  A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

  

  Which of the following vulnerabilities should be prioritized for remediation?

  A. nessie.explosion

  B. vote.4p

  C. sweet.bike

  D. great.skills

  Correct Answer: D

• Question 4:

  A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

  A. Increasing training and awareness for all staff

  B. Ensuring that malicious websites cannot be visited

  C. Blocking all scripts downloaded from the internet

  D. Disabling all staff members’ ability to run downloaded applications

  Correct Answer: A

• Question 5:

  A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a mismatch in the login. html file hash. After comparing the code with the previous version of the page source code, the analyst found the following code snippet added: Which of the following best describes the activity the analyst has observed?

  

  A. Obfuscated links

  B. Exfiltration

  C. Unauthorized changes

  D. Beaconing

  Correct Answer: C

• Question 6:

  A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

  A. Credentialed scar

  B. External scan

  C. Differential scan

  D. Network scan

  Correct Answer: A

  A credentialed scan is a type of vulnerability scan that uses valid credentials to log in to the scanned systems and perform a more thorough and accurate assessment of their vulnerabilities. A credentialed scan can access more information than a non-credentialed scan, such as registry keys, patch levels, configuration settings, and installed applications. A credentialed scan can also reduce the number of false positives and false negatives, as it can verify the actual state of the system rather than relying on inference or assumptions. The other types of scans are not related to the issue of incomplete findings, as they refer to different aspects of vulnerability scanning, such as the scope, location, or frequency of the scan. An external scan is a scan that is performed from outside the network perimeter, usually from the internet. An external scan can reveal how an attacker would see the network and what vulnerabilities are exposed to the public. An external scan cannot access internal systems or resources that are behind firewalls or other security controls. A differential scan is a scan that compares the results of two scans and highlights the differences between them. A differential scan can help identify changes in the network environment, such as new vulnerabilities, patched vulnerabilities, or new devices. A differential scan does not provide a complete list of findings by itself, but rather a summary of changes. A network scan is a scan that focuses on the network layer of the OSI model and detects vulnerabilities related to network devices, protocols, services, and configurations. A network scan can discover open ports, misconfigured firewalls, unencrypted traffic, and other network-related issues. A network scan does not provide information about the application layer or the host layer of the OSI model, such as web applications or operating systems.

  Reference: https://www.splunk.com/en_us/blog/learn/vulnerability-scanning.html

• Question 7:

  A. False positive

  B. True negative

  C. False negative

  D. True positive

  Correct Answer: C

  A false negative occurs when a security system or control fails to identify an actual threat or attack, which is the case here. The rule should have detected the attack, but it did not, leading to a false negative result.

• Question 8:

  A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

  A. Uncredentialed scan

  B. Discovery scan

  C. Vulnerability scan

  D. Credentialed scan

  Correct Answer: B

  A discovery scan is typically used to identify the scope of a web application and understand where the scan will go. This type of scan is often the first step in assessing a web application's security and helps the analyst determine which areas

  should be further examined or tested in-depth.

  Reference: https://qualysguard.qg2.apps.qualys.com/portal-help/en/was/scans/scanning_basics.htm

• Question 9:

  A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

  A. Wipe the computer and reinstall software

  B. Shut down the email server and quarantine it from the network

  C. Acquire a bit-level image of the affected workstation

  D. Search for other mail users who have received the same file

  Correct Answer: D

  This is the containment stage and not eradication, in containment you would go and prevent further damage to contain the incident, the isolated computer is already hit with ransomware bit level backup won't make a difference at this point, contain first then move to bit level and forensics to eradicate then wipe clean

• Question 10:

  The security analyst received the monthly vulnerability report. The following findings were included in the report:

  1.

  Five of the systems only required a reboot to finalize the patch application

  2.

  Two of the servers are running outdated operating systems and cannot be patched

  The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

  A. Compensating controls

  B. Due diligence

  C. Maintenance windows

  D. Passive discovery

  Correct Answer: A

  Compensating controls are the best approach to minimize the risk of the outdated servers being compromised, as they can provide an alternative or additional layer of security when the primary control is not feasible or effective. Compensating controls are security measures that are implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. For example, if the servers are running outdated operating systems and cannot be patched, a compensating control could be to isolate them from the rest of the network, or to implement a firewall or an intrusion prevention system to monitor and block any malicious traffic to or from the servers. Compensating controls can help reduce the likelihood or impact of an exploit, but they do not eliminate the risk completely. Therefore, the security analyst should also consider upgrading or replacing the outdated servers as soon as possible.