CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 111:

  A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself.

  Which of the following can the analyst perform to see the entire contents of the downloaded files?

  A. Change the display filter to f cp. accive. pore
  B. Change the display filter to tcg.port=20
  C. Change the display filter to f cp-daca and follow the TCP streams
  D. Navigate to the File menu and select FTP from the Export objects option
  C. Change the display filter to f cp-daca and follow the TCP streams

  ---

  Explanation

  The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session

• Question 112:

  A security administrator is tasked with modifying the vulnerability scan process to reduce the network traffic but maintain thorough checks.

  Which of the following scanning approaches should be implemented?

  A. Credentialed scans
  B. Individual scans
  C. Security baseline scans
  D. Agent-based scans
  D. Agent-based scans

• Question 113:

  SIMULATION

  You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

  1. There must be one primary server or service per device.

  2. Only default port should be used

  3. Non-secure protocols should be disabled.

  4. The corporate internet presence should be placed in a protected subnet Instructions :

  Using the available tools, discover devices on the corporate network and the services running on these devices.

  You must determine

  1. ip address of each device

  2. The primary server or service each device

  3. The protocols that should be disabled based on the hardening guidelines

  

  

  A. see the answer below in explanation.
  B. PlaceHoder
  C. PlaceHoder
  D. PlaceHoder
  A. see the answer below in explanation.

  ---

  Explanation

  

  

  

• Question 114:

  An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days.

  Which of the following steps is most important during the transition between the two analysts?

  A. Identify and discuss the lessons learned with the prior analyst.
  B. Accept all findings and continue to investigate the next item target.
  C. Review the steps that the previous analyst followed.
  D. Validate the root cause from the prior analyst.
  C. Review the steps that the previous analyst followed.

• Question 115:

  The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released.

  Which of the following would best protect this organization?

  A. A mean time to remediate of 30 days
  B. A mean time to detect of 45 days
  C. A mean time to respond of 15 days
  D. Third-party application testing
  A. A mean time to remediate of 30 days

  ---

  Explanation

  A mean time to remediate (MTTR) is a metric that measures how long it takes to fix a vulnerability after it is discovered. A MTTR of 30 days would best protect the organization from the new attacks that are exploited 45 days after a patch is released, as it would ensure that the vulnerabilities are fixed before they are exploited

• Question 116:

  A security analyst has just received an incident ticket regarding a ransomware attack.

  Which of the following would most likely help an analyst properly triage the ticket?

  A. Incident response plan
  B. Lessons learned
  C. Playbook
  D. Tabletop exercise
  C. Playbook

• Question 117:

  A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.

  Which of the following most likely describes the observed activity?

  A. There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
  B. An on-path attack is being performed by someone with internal access that forces users into port 80
  C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
  D. An error was caused by BGP due to new rules applied over the company's internal routers
  B. An on-path attack is being performed by someone with internal access that forces users into port 80

  ---

  Explanation

  An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company's internal portal.

• Question 118:

  Which of the following tools is most suitable for a security analyst to analyze network traffic and search for malicious activity from a compromised host?

  A. WAF
  B. Wireshark
  C. EDR
  D. Nmap
  B. Wireshark

• Question 119:

  After a recent vulnerability report for a server is presented, a business must decide whether to secure the company's web-based storefront or shut it down. The developer is not able to fix the zero-day vulnerability because a patch does not exist yet.

  Which of the following is the best option for the business?

  A. Limit the API request for new transactions until a patch exists.
  B. Take the storefront offline until a patch exists.
  C. Identify the degrading functionality.
  D. Put a WAF in front of the storefront.
  D. Put a WAF in front of the storefront.

• Question 120:

  A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability scan was completed:

  

  Which of the following options can the analyst conclude based on the provided output?

  A. The scanning vendor used robots to make the scanning job faster
  B. The scanning job was successfully completed, and no vulnerabilities were detected
  C. The scanning job did not successfully complete due to an out of scope error
  D. The scanner executed a crawl process to discover pages to be assessed
  D. The scanner executed a crawl process to discover pages to be assessed

  ---

  Explanation

  The output shows the result of usi"fter a vulnerability scan was completed. The Spider tab allows users to crawl web applications and discover pages and resources that can be assessed for vulnerabilities. The output shows that the scanner discovered various pages under different directories, such as /admin/, /blog/, /contact/, etc., as well as some parameters and forms that can be used for testing inputs and outputs. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9;

  https://www.zaproxy.org/docs/desktop/start/features/spider/