CompTIA CompTIA CySA+ CS0-003 Questions & Answers

• Question 271:

  Which of the following describes the difference between intentional and unintentional insider threats'?

  A. Their access levels will be different

  B. The risk factor will be the same

  C. Their behavior will be different

  D. The rate of occurrence will be the same

  Correct Answer: C

  The difference between intentional and unintentional insider threats is their behavior. Intentional insider threats are malicious actors who deliberately misuse their access to harm the organization or its assets. Unintentional insider threats are

  careless or negligent users who accidentally compromise the security of the organization or its assets. Their access levels, risk factors, and rates of occurrence may vary depending on various factors, but their behavior is the main distinction.

  Reference:

  CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 12;

  https://www.cisa.gov/sites/default/files/publications/Insider_Threat_Mitigation_Guide_508.pdf

• Question 272:

  A security analyst needs to automate the incident response process for malware infections. When the following logs are generated, an alert email should automatically be sent within 30 minutes:

  

  Which of the following is the best way for the analyst to automate alert generation?

  A. Deploy a signature-based IDS

  B. Install a UEBA-capable antivirus

  C. Implement email protection with SPF

  D. Create a custom rule on a SIEM

  Correct Answer: D

  A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on security incidents and events. A security analyst can create a custom rule on a SIEM system to automate the incident response process for malware infections. For example, the analyst can create a rule that triggers an alert email when the SIEM system detects logs that match the criteria of malware infection, such as process name, file name, file hash, etc. The alert email can be sent within 30 minutes or any other desired time frame. The other options are not suitable or sufficient for this purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15; https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-managementsiem-implementation-33969

• Question 273:

  An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response Which of the following would best meet the organization's needs'?

  A. MaaS

  B. SIEM

  C. SOAR

  D. CI/CD

  Correct Answer: C

  A security orchestration, automation, and response (SOAR) system is a solution that combines various security technologies and workflows to identify security issues, prioritize their severity, and automate a response. A SOAR system can help an organization consolidate its security tools and processes and standardize its workflow for incident response. The other options are not relevant or comprehensive for this purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15; https://www.gartner.com/en/informationtechnology/glossary/security-orchestration-automation-and-response-soar

• Question 274:

  A new prototype for a company's flagship product was leaked on the internet As a result, the management team has locked out all USB drives Optical drive writers are not present on company computers The sales team has been granted an exception to share sales presentation files with third parties Which of the following would allow the IT team to determine which devices are USB enabled?

  A. Asset tagging

  B. Device encryption

  C. Data loss prevention

  D. SIEMIogs

  Correct Answer: D

  A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on security incidents and events. A SIEM system can help the IT team to

  determine which devices are USB enabled by querying the log data for events related to USB device insertion, removal, or usage. The other options are not relevant or effective for this purpose. CompTIA Cybersecurity Analyst (CySA+)

  Certification Exam Objectives (CS0-002), page 15;

  https://www.sans.org/reading-room/whitepapers/analyst/securityinformation-event-management-siem-implementation-33969

• Question 275:

  A forensic analyst is conducting an investigation on a compromised server Which of the following should the analyst do first to preserve evidence''

  A. Restore damaged data from the backup media

  B. Create a system timeline

  C. Monitor user access to compromised systems

  D. Back up all log files and audit trails

  Correct Answer: D

  A forensic analyst is conducting an investigation on a compromised server. The first step that the analyst should do to preserve evidence is to back up all log files and audit trails. This will ensure that the analyst has a copy of the original data that can be used for analysis and verification. Backing up the log files and audit trails will also prevent any tampering or modification of the evidence by the attacker or other parties. The other options are not the first steps or may alter or destroy the evidence. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 16; https://www.nist.gov/publications/guide-collection-and-preservation-digital-evidence

• Question 276:

  A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. Which of the following contains the most useful information to produce this script?

  A. API documentation

  B. Protocol analysis captures

  C. MITRE ATTandCK reports

  D. OpenloC files

  Correct Answer: C

  A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. The most useful information to produce this script is MITRE ATTandCK reports. MITRE ATTandCK is a

  knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATTandCK reports provide detailed information on how different threat actors operate, what tools they use, what indicators they leave behind, and

  how to detect or mitigate their attacks. The other options are not as useful or relevant for this purpose.

  Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://attack.mitre.org/

• Question 277:

  A security analyst is reviewing the network security monitoring logs listed below:

  Count: 2 Event#3.3505 2020-01-30 10:40 UTC GPL WEB SERVER robots. txt access

  10.1.1.128 -> 10.0.0.10 IPVer=4 hlen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704 Protocol: 6 sport=45260 => dport=80 Sec=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=23415 chksum=0

  Count: 22 Event#3.3507 2020-01-30 10:40 UTC ET WEB SPECIFIC APPS PHPStudy Remote Code Execution Backdoor

  10.1.1.129 -> 10.0.0.10 IPVer=4 hen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704 Protocol: 6 sport=65200 -> dport=80 Sea=0 Ack=0 off=5 Res=0 Flags=******** win=0 urp=26814 chksum=0

  Count: 30 Event#3.3522 2020-01-30 10:40 UTC ET WEB SERVER WEB-PHP phpinfo access

  10.1.1.130 -> 10.0.0.10 IPVer=4 hen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704 Protocol: 6 sport=58175 -> dport=80 Sec=0 Ack=0 Off=5 Res=0 Flags=******** win=0 urp=22875 chksum=0

  Count: 22 Event#3.3728 2020-01-30 10:40 UTC GPL WEB SERVER 403 Forbidden

  10.0.0.10 -> 10.1.1.129 IPVer=4 hen=5 tos=0 dlen=533 ID=0 flags=0 offset=0 tt1=0 chksum=20471 Protocol: 6 sport=80 -> dport=65200 Sea=0 Ack=0 Off=5 Res=0 Flags=******** win=0 urp=59638 chksum=0

  Which of the following is the analyst MOST likely observing? (Choose two.)

  A. 10.1.1.128 sent potential malicious traffic to the web server.

  B. 10.1.1.128 sent malicious requests, and the alert is a false positive

  C. 10.1.1.129 successfully exploited a vulnerability on the web server

  D. 10.1.1.129 sent potential malicious requests to the web server

  E. 10.1.1.129 can determine mat port 443 is being used

  F. 10.1.1.130 can potentially obtain information about the PHP version

  Correct Answer: DF

  A security analyst is reviewing the network security monitoring logs listed below and is most likely observing that 10.1.1.129 sent potential malicious requests to the web server and that 10.1.1.130 can potentially obtain information about the

  PHP version. The logs show that 10.1.1.129 sent two requests to the web server with suspicious parameters, such as " " , which are commonly used for SQL injection attacks. The logs also show that 10.1.1.130 sent a request to the " , which

  is a function that displays information about the PHP configuration and environment, which can be useful for attackers to find vulnerabilities or exploit them. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),

  page 8;

  https://owasp.org/www-community/attacks/SQL_Injection;

  https://www.php.net/manual/en/function.phpinfo.php

• Question 278:

  Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

  

  A. TLS_RSA_WITH_DES_CBC_SHA 56

  B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)

  C. TLS_RSA_WITH_AES_256_CBC_SHA 256

  D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

  Correct Answer: B

  The line from this output that most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key is TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits). This line indicates that the cipher suite uses Diffie-Hellman ephemeral (DHE) key exchange with RSA authentication, AES 128-bit encryption with cipher block chaining (CBC) mode, and SHA-1 hashing. The DHE key exchange uses a 1024-bit Diffie-Hellman group, which is considered too weak for modern security standards and can be broken by attackers using sufficient computing power. The other lines indicate stronger cipher suites that use longer key lengths or more secure algorithms. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 9; https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

• Question 279:

  A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

  A. A control that demonstrates that all systems authenticate using the approved authentication method

  B. A control that demonstrates that access to a system is only allowed by using SSH

  C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment

  D. A control that demonstrates that the network security policy is reviewed and updated yearly

  Correct Answer: C

  A valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that the firewall rules are configured correctly and securely, and that they do not allow unnecessary or unauthorized access to the perimeter network. The other options are not compensating controls or do not address the risk of active reconnaissance. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://www.isaca.org/resources/isaca-journal/issues6/volume-3/ compensating-controls

• Question 280:

  An analyst received an alert regarding an application spawning a suspicious command shell process Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

  

  Which of the following was the suspicious event able to accomplish?

  A. Impair defenses.

  B. Establish persistence.

  C. Bypass file access controls.

  D. Implement beaconing.

  Correct Answer: A