CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 211:

  A cybersecurity analyst is working with a SIEM tool and reviewing the following table:

  

  When creating a rule in the company's SIEM, which of the following would be the BEST approach for the analyst to use to assess the risk level of each vulnerability that is discovered by the vulnerability assessment tool?

  A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level of each vulnerability
  B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster, and be able to display the table in a dashboard or export it as a report
  C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by the vulnerability scanner data collector
  D. Use the table as a new index or database for the SIEM to be able to use multisearch and then summarize the results as output
  B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster, and be able to display the table in a dashboard or export it as a report

• Question 212:

  An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

  cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -EncodedCommand <VERY LONG STRING>

  Which of the following should the analyst use to gather more information about the purpose of this command?

  A. Echo the command payload content into 'base64 -d'.
  B. Execute the command from a Windows VM.
  C. Use a command console with administrator privileges to execute the code.
  D. Run the command as an unprivileged user from the analyst workstation.
  A. Echo the command payload content into 'base64 -d'.

  ---

  Explanation

  The command in question involves an encoded PowerShell command, which is typically used by attackers to obfuscate malicious scripts. To decode and understand the payload, one would need to decode the base64 encoded string. This is why option A is the correct answer, as 'base64 -d' is a command used to decode data encoded with base 64. This process will reveal the plaintext of the encoded command, which can then be analyzed to understand the actions that the attacker was attempting to perform.

  Option B is risky and not advised without a controlled and isolated environment.

  Option C is not safe because executing unknown or suspicious code with administrator privileges could cause harm to the system or network.

  Option D also poses a risk of executing potentially harmful code on an analyst's workstation.

• Question 213:

  A group of hacktivists has breached and exfiltrated data from several of a bank's competitors. Given the following network log output:

  

  Which of the following represents the greatest concerns with regard to potential data exfiltration? (Choose two.)

  A. 1
  B. 2
  C. 3
  D. 4
  E. 5
  F. 6
  G. 7
  D. 4
  G. 7

  ---

  Explanation

  D (4: HTTPS traffic to an external IP - 5.29.1.5)

  G (7: FTP traffic to an external backup server - bank.backup.com) Other Options: A (ARP traffic) Not a concern (Just address resolution) B (RPC Kerberos traffic) Normal for authentication C (SMB traffic) Internal file sharing **E (DNS traffic) Common, though could be exfiltration in some cases, but not in this log) F (WUS traffic) Appears to be Windows Update Service traffic, likely legitimate

  CompTIA CySA+ CS0-003, Chapter 5: "Network Security Monitoring and Analysis,"

  Section: "Detecting Data Exfiltration"

• Question 214:

  A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server.

  Which of the following will the analyst most likely recommend?

  A. Sandboxing
  B. MFA
  C. DKIM
  D. Vulnerability scan
  A. Sandboxing

• Question 215:

  An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response.

  Which of the following would best meet the organization's needs'?

  A. MaaS
  B. SIEM
  C. SOAR
  D. CI/CD
  C. SOAR

  ---

  Explanation

  A security orchestration, automation, and response (SOAR) system is a solution that combines various security technologies and workflows to identify security issues, prioritize their severity, and automate a response. A SOAR system can help an organization consolidate its security tools and processes and standardize its workflow for incident response. The other options are not relevant or comprehensive for this purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15;

  https://www.gartner.com/en/informationtechnology/glossary/security-orchestration-automation-and-response-soar

• Question 216:

  An auditor is reviewing an evidence log associated with a cybercrime. The auditor notices that a gap exists between individuals who were responsible for holding onto and transferring the evidence between individuals responsible for the investigation.

  Which of the following best describes the evidence handling process that was not properly followed?

  A. Validating data integrity
  B. Preservation
  C. Legal hold
  D. Chain of custody
  D. Chain of custody

  ---

  Explanation

  The chain of custody is a documented history that tracks how evidence is handled, collected, transported, and preserved at every stage of the forensic investigation. If a gap exists in the record of who transferred or accessed the evidence, it could call into question the integrity and admissibility of the evidence.

  Validating data integrity (Option A) refers to ensuring that the forensic image is identical to the original data, often using cryptographic hashing, but it does not address procedural gaps in documentation. Preservation (Option B) involves protecting the original evidence from modification or loss but does not include logging transfers of custody. Legal hold (Option C) refers to a requirement to preserve data for legal proceedings, which is different from tracking evidence handling. Thus, the correct answer is D, as chain of custody directly relates to tracking who had access to the evidence and when.

• Question 217:

  A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted.

  Which of the following is the most likely cause of the server issue?

  A. The server was configured to use SSL to securely transmit data.
  B. The server was supporting weak TLS protocols for client connections.
  C. The malware infected all the web servers in the pool.
  D. The digital certificate on the web server was self-signed.
  D. The digital certificate on the web server was self-signed.

  ---

  Explanation

  A digital certificate is a document that contains the public key and identity information of a web server, and is signed by a trusted third-party authority called a certificate authority (CA). A digital certificate allows the web server to establish a secure connection with the clients using the HTTPS protocol, and also verifies the authenticity of the web server. A self-signed certificate is a digital certificate that is not signed by a CA, but by the web server itself. A self-signed certificate can cause issues with the website, as it may not be trusted by the clients or their browsers. Clients may receive warnings or errors when trying to access the website, indicating that the site could not be trusted or that the connection is not secure.

  https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

  https://www.techtarget.com/searchsecurity/quiz/Sample-CompTIA-CySA-test-questions-with-answers

• Question 218:

  Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.

  ?

  A. SLA
  B. LOI
  C. MOU
  D. KPI
  A. SLA

• Question 219:

  Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

  A. To provide metrics and test continuity controls
  B. To verify the roles of the incident response team
  C. To provide recommendations for handling vulnerabilities
  D. To perform tests against implemented security controls
  A. To provide metrics and test continuity controls

  ---

  Explanation

  A disaster recovery exercise is a simulation or a test of the disaster recovery plan, which is a set of procedures and resources that are used to restore the normal operations of an organization after a disaster or a major incident. The goal of a disaster recovery exercise is to provide metrics and test continuity controls, which are the measures that ensure the availability and resilience of the critical systems and processes of an organization. A disaster recovery exercise can help evaluate the effectiveness, efficiency, and readiness of the disaster recovery plan, as well as identify and address any gaps or issues . The other options are not the best descriptions of the goal of a disaster recovery exercise. Verifying the roles of the incident response team (B) is a goal of an incident response exercise, which is a simulation or a test of the incident response plan, which is a set of procedures and roles that are used to detect, contain, analyze, and remediate an incident. Providing recommendations for handling vulnerabilities ?is a goal of a vulnerability assessment, which is a process of identifying and prioritizing the weaknesses and risks in an organization's systems or network. Performing tests against implemented security controls (D) is a goal of a penetration test, which is an authorized and simulated attack on an organization's systems or network to evaluate their security posture and identify any vulnerabilities or misconfigurations.

• Question 220:

  A security analyst s monitoring a company's network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues.

  Which of the following is the best way for the security analyst to respond?

  A. Report this activity as a false positive, as the activity is legitimate.
  B. Isolate the system and begin a forensic investigation to determine what was compromised.
  C. Recommend network segmentation to the management team as a way to secure the various environments.
  D. Implement host-bases firewalls on all systems to prevent ping sweeps in the future.
  A. Report this activity as a false positive, as the activity is legitimate.