CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 201:

  A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

  A. Uncredentialed scan

  B. Discovery scan

  C. Vulnerability scan

  D. Credentialed scan

  Correct Answer: B

  A discovery scan is typically used to identify the scope of a web application and understand where the scan will go. This type of scan is often the first step in assessing a web application's security and helps the analyst determine which areas should be further examined or tested in-depth.

  Reference: https://qualysguard.qg2.apps.qualys.com/portal-help/en/was/scans/scanning_basics.htm

• Question 202:

  A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

  

  Which of the following vulnerabilities should be prioritized for remediation?

  A. nessie.explosion

  B. vote.4p

  C. sweet.bike

  D. great.skills

  Correct Answer: D

• Question 203:

  A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

  A. Increasing training and awareness for all staff

  B. Ensuring that malicious websites cannot be visited

  C. Blocking all scripts downloaded from the internet

  D. Disabling all staff members' ability to run downloaded applications

  Correct Answer: A

• Question 204:

  A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a mismatch in the login. html file hash. After comparing the code with the previous version of the page source code, the analyst found the following code snippet added:

  

  Which of the following best describes the activity the analyst has observed?

  A. Obfuscated links

  B. Exfiltration

  C. Unauthorized changes

  D. Beaconing

  Correct Answer: B

• Question 205:

  A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

  A. Credentialed scar

  B. External scan

  C. Differential scan

  D. Network scan

  Correct Answer: A

  A credentialed scan is a type of vulnerability scan that uses valid credentials to log in to the scanned systems and perform a more thorough and accurate assessment of their vulnerabilities. A credentialed scan can access more information than a non-credentialed scan, such as registry keys, patch levels, configuration settings, and installed applications. A credentialed scan can also reduce the number of false positives and false negatives, as it can verify the actual state of the system rather than relying on inference or assumptions. The other types of scans are not related to the issue of incomplete findings, as they refer to different aspects of vulnerability scanning, such as the scope, location, or frequency of the scan. An external scan is a scan that is performed from outside the network perimeter, usually from the internet. An external scan can reveal how an attacker would see the network and what vulnerabilities are exposed to the public. An external scan cannot access internal systems or resources that are behind firewalls or other security controls. A differential scan is a scan that compares the results of two scans and highlights the differences between them. A differential scan can help identify changes in the network environment, such as new vulnerabilities, patched vulnerabilities, or new devices. A differential scan does not provide a complete list of findings by itself, but rather a summary of changes. A network scan is a scan that focuses on the network layer of the OSI model and detects vulnerabilities related to network devices, protocols, services, and configurations. A network scan can discover open ports, misconfigured firewalls, unencrypted traffic, and other network-related issues. A network scan does not provide information about the application layer or the host layer of the OSI model, such as web applications or operating systems.

  Reference: https://www.splunk.com/en_us/blog/learn/vulnerability-scanning.html

• Question 206:

  The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

  

  Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

  A. Vulnerability A

  B. Vulnerability B

  C. Vulnerability C

  D. Vulnerability D

  Correct Answer: A

• Question 207:

  An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

  A. Identify and discuss the lessons learned with the prior analyst.

  B. Accept all findings and continue to investigate the next item target.

  C. Review the steps that the previous analyst followed.

  D. Validate the root cause from the prior analyst.

  Correct Answer: C

• Question 208:

  The security analyst received the monthly vulnerability report. The following findings were included in the report:

  1.

  Five of the systems only required a reboot to finalize the patch application

  2.

  Two of the servers are running outdated operating systems and cannot be patched

  The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

  A. Compensating controls

  B. Due diligence

  C. Maintenance windows

  D. Passive discovery

  Correct Answer: A

  Compensating controls are the best approach to minimize the risk of the outdated servers being compromised, as they can provide an alternative or additional layer of security when the primary control is not feasible or effective. Compensating controls are security measures that are implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. For example, if the servers are running outdated operating systems and cannot be patched, a compensating control could be to isolate them from the rest of the network, or to implement a firewall or an intrusion prevention system to monitor and block any malicious traffic to or from the servers. Compensating controls can help reduce the likelihood or impact of an exploit, but they do not eliminate the risk completely. Therefore, the security analyst should also consider upgrading or replacing the outdated servers as soon as possible.

• Question 209:

  After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

  A. Transfer

  B. Accept

  C. Mitigate

  D. Avoid

  Correct Answer: C

  Mitigate is the best term to describe the risk management principle that the company is exercising, as it means to reduce the likelihood or impact of a risk. By implementing a patch management program to remediate vulnerabilities, the company is mitigating the threat of cyberattacks that could exploit those vulnerabilities and compromise the security or functionality of the systems. The other terms are not as accurate as mitigate, as they describe different risk management principles. Transfer means to shift the responsibility or burden of a risk to another party, such as an insurer or a contractor. Accept means to acknowledge the existence of a risk and decide not to take any action to reduce it, usually because the risk is low or the cost of mitigation is too high. Avoid means to eliminate the possibility of a risk by changing the plans or activities that could cause it, such as cancelling a project or discontinuing a service

  Reference: https://safetyculture.com/topics/risk-management/

• Question 210:

  A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

  A. Wipe the computer and reinstall software

  B. Shut down the email server and quarantine it from the network

  C. Acquire a bit-level image of the affected workstation

  D. Search for other mail users who have received the same file

  Correct Answer: D

  This is the containment stage and not eradication, in containment you would go and prevent further damage to contain the incident, the isolated computer is already hit with ransomware bit level backup won't make a difference at this point, contain first then move to bit level and forensics to eradicate then wipe clean