CompTIA CompTIA CySA+ CS0-003 Questions & Answers

• Question 41:

  An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

  A. Access rights

  B. Network segmentation

  C. Time synchronization

  D. Invalid playbook

  Correct Answer: C

  When examining events in multiple systems and having difficulty correlating data points, the most likely issue could be a lack of proper time synchronization across the systems. Time synchronization is crucial for accurate event correlation and forensic analysis, as it ensures that events are properly aligned in chronological order.

• Question 42:

  An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

  A. SOAR

  B. SIEM

  C. SLA

  D. IoC

  Correct Answer: A

  SOAR (Security Orchestration, Automation, and Response) is the best option to help the analyst implement the recommendation, as it reflects the software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows and automate repetitive tasks. SOAR is a term coined by Gartner in 2015 to describe a technology that combines the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering. SOAR solutions help security teams to collect inputs from various sources, such as EDR agents, firewalls, or SIEM systems, and perform analysis and triage using a combination of human and machine power. SOAR solutions also allow security teams to define and execute incident response procedures in a digital workflow format, using automation to perform low-level tasks or actions, such as blocking an IP address or quarantining a device. SOAR solutions can help security teams to improve efficiency, consistency, and scalability of their operations, as well as reduce mean time to detect (MTTD) and mean time to respond (MTTR) to threats. The other options are not as suitable as SOAR, as they do not match the description or purpose of the recommendation. SIEM (Security Information and Event Management) is a software solution that collects and analyzes data from various sources, such as logs, events, or alerts, and provides security monitoring, threat detection, and incident response capabilities. SIEM solutions can help security teams to gain visibility, correlation, and context of their security data, but they do not provide automation or orchestration features like SOAR solutions. SLA (Service Level Agreement) is a document that defines the expectations and responsibilities between a service provider and a customer, such as the quality, availability, or performance of the service. SLAs can help to manage customer expectations, formalize communication, and improve productivity and relationships, but they do not help to implement technical recommendations like SOAR solutions. IoC (Indicator of Compromise) is a piece of data or evidence that suggests a system or network has been compromised by a threat actor, such as an IP address, a file hash, or a registry key. IoCs can help to identify and analyze malicious activities or incidents, but they do not help to implement response actions like SOAR solutions.

• Question 43:

  A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

  A. Leave the proxy as is.

  B. Decomission the proxy.

  C. Migrate the proxy to the cloud.

  D. Patch the proxy.

  Correct Answer: B

  Since the proxy is not in use and has a critical vulnerability with a high CVSS score, the best course of action is to decommission the proxy.

  Patching the proxy might be an option if it were actively being used and could not be replaced, but since a new proxy is already in place, decommissioning is the most appropriate action.

• Question 44:

  A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

  A. Non-credentialed scanning

  B. Passive scanning

  C. Agent-based scanning

  D. Credentialed scanning

  Correct Answer: B

  Passive scanning involves monitoring network traffic to identify vulnerabilities without actively probing or interacting with the devices. This method is relatively non-intrusive and can provide valuable information without directly affecting the

  systems.

  However, it's important to note that passive scanning might not identify all vulnerabilities, so a combination of passive scanning and periodic credentialed scanning might be a balanced approach to ensure accurate vulnerability assessment

  while minimizing disruption.

• Question 45:

  A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

  A. Operating system version

  B. Registry key values

  C. Open ports

  D. IP address

  Correct Answer: B

• Question 46:

  A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

  A. /etc/shadow

  B. curl localhost

  C. ; printenv

  D. cat /proc/self/

  Correct Answer: A

  /etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a ulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives https://www.comptia.org/certifications/cybersecurity-analyst https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

• Question 47:

  While reviewing web server logs, a security analyst found the following line:

  

  Which of the following malicious activities was attempted?

  A. Command injection

  B. XML injection

  C. Server-side request forgery D. Cross-site scripting

  Correct Answer: D

  XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code can then access or manipulate the user's session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware

  The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text “test” when the user views the web page or application. This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks

• Question 48:

  A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

  getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd");

  Which of the following is the most likely vulnerability in this system?

  A. Lack of input validation

  B. SQL injection

  C. Hard-coded credential

  D. Buffer overflow

  Correct Answer: C

  The most likely vulnerability in this system is hard-coded credential. Hard-coded credential is a practice of embedding or storing a username, password, or other sensitive information in the source code or configuration file of a system or application. Hard-coded credential can pose a serious security risk, as it can expose the system or application to unauthorized access, data theft, or compromise if the credential is discovered or leaked by an attacker. Hard-coded credential can also make it difficult to change or update the credential if needed, as it may require modifying the code or file and redeploying the system or application.

• Question 49:

  A technician is analyzing output from a popular network mapping tool for a PCI audit: Which of the following best describes the output?

  

  A. The host is not up or responding.

  B. The host is running excessive cipher suites.

  C. The host is allowing insecure cipher suites.

  D. The Secure Shell port on this host is closed.

  Correct Answer: C

• Question 50:

  A. SIEM

  B. XDR

  C. SOAR

  D. EDR

  Correct Answer: C