CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 221:

  A company discovers that its proprietary information is being sold on the dark web. A security analyst uses threat hunting to search for signs of compromise. After running a network packet capture tool, the analyst identifies millions of packets similar to the following: The analyst does not detect or identify any other abnormalities.

  

  Which of the following is most likely the malicious activity in this scenario?

  A. An insider is using an IP command-and-control to sell proprietary information.
  B. A threat actor is performing exfiltration over an alternative protocol.
  C. A machine was infected with a virus that is trying to propagate.
  D. A hacktivist is conducting an ICMP DDoS attack against the company.
  B. A threat actor is performing exfiltration over an alternative protocol.

• Question 222:

  During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application.

  Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

  A. Conduct regular red team exercises over the application in production
  B. Ensure that all implemented coding libraries are regularly checked
  C. Use application security scanning as part of the pipeline for the CI/CDflow
  D. Implement proper input validation for any data entry form
  C. Use application security scanning as part of the pipeline for the CI/CDflow

  ---

  Explanation

  Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process.

• Question 223:

  A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements.

  Which of the following should the SOC manager utilize to improve the process?

  A. The most recent audit report
  B. The incident response playbook
  C. The incident response plan
  D. The lessons-learned register
  D. The lessons-learned register

  ---

  Explanation

  The lessons-learned register is an essential document that captures insights and feedback from past exercises or incidents, highlighting what went well and what did not. By utilizing this register, the SOC manager can identify specific areas for improvement and develop actionable steps to enhance future response efforts. According to CompTIA's CySA+ and Security+ guidance, lessons learned from tabletop exercises are crucial for iterative improvements in an incident response plan. Options A, B, and C are useful resources, but the lessons-learned register specifically focuses on reflection and improvement, which is the primary objective in this context.

• Question 224:

  A user is suspected of violating policy by logging in to a Linux VM during non-business hours.

  Which of the following system files is the best way to track the user's activities?

  A. /var/log/secure
  B. /etc/motd
  C. /var/log/messages
  D. /etc/passwd
  A. /var/log/secure

• Question 225:

  A security analyst is evaluating the following support ticket:

  Issue: Marketing campaigns are being filtered by the customer's email servers.

  Description: Our marketing partner cannot send emails using our email address. The following log messages were collected from multiple customers:

  1. The SPF result is PermError.

  2. The SPF result is SoftFail or Fail.

  3. The 550 SPF check failed.

  Which of the following should the analyst do next?

  A. Ask the marketing partner's ISP to disable the DKIM setting.
  B. Request approval to disable DMARC on the company's ISP.
  C. Ask the customers to disable SPF validation.
  D. Request a configuration change on the company's public DNS.
  D. Request a configuration change on the company's public DNS.

• Question 226:

  A SOC manager reviews metrics from the last four weeks to investigate a recurring availability issue. The manager finds similar events correlating to the times of the reported issues.

  Which of the following methods would the manager most likely use to resolve the issue?

  A. Vulnerability assessment
  B. Root cause analysis
  C. Recurrence reports
  D. Lessons learned
  B. Root cause analysis

  ---

  Explanation

  Root Cause Analysis (RCA) is the best approach to identify and resolve the underlying cause of recurring incidents. It involves a systematic investigation of logs, configurations, and operational data to pinpoint the reason behind persistent security issues.

  Option A (Vulnerability assessment) helps identify security weaknesses but does not focus on recurring operational issues.

  Option C (Recurrence reports) track patterns but do not resolve the root cause.

  Option D (Lessons learned) is valuable but is typically a post-mortem discussion rather than an investigative method.

  Thus, B is the correct answer, as root cause analysis is the best approach for diagnosing recurring availability issues.

• Question 227:

  HOTSPOT

  An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration.

  INSTRUCTIONS

  Select the command that generated the output in tabs 1 and 2.

  Review the output text in all tabs and identify the file responsible for the malicious behavior.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  

  

  

  

• Question 228:

  The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage.

  Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

  A. NAC
  B. IPS
  C. CASB
  D. WAF
  C. CASB

  ---

  Explanation

  A cloud access security broker (CASB) is a security solution that monitors and controls the use of cloud-based services and applications. A CASB can provide data loss prevention (DLP) capabilities for sensitive data that is being stored in the cloud, such as encryption, masking, tokenization, or redaction. A CASB can also enforce policies and compliance requirements for cloud usage, such as authentication, authorization, auditing, and reporting. The other options are not appropriate solutions for controlling sensitive data in the cloud. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14;

  https://docs.microsoft.com/en-us/cloudapp-security/what-is-cloud-app-security

• Question 229:

  During a training exercise, a security analyst must determine the vulnerabilities to prioritize. The analyst reviews the following vulnerability scan output:

  

  Which of the following issues should the analyst address first?

  A. Allows anonymous read access to /etc/passwd
  B. Allows anonymous read access via any FTP connection
  C. Microsoft Defender security definition updates disabled
  D. less command allows for escape exploit via terminal
  A. Allows anonymous read access to /etc/passwd

  ---

  Explanation

  Allowing anonymous read access to /etc/passwd is a critical vulnerability because it can expose user account details, aiding attackers in password cracking and privilege escalation.

  Option B (Anonymous FTP access) is a risk, but /etc/ passwd exposure is more critical as it directly affects user authentication.

  Option C (Defender updates disabled) is important, but it does not present an immediate attack vector like credential exposure.

  Option D (less escape exploit) is significant, but it requires user interaction, making it less immediate than a global credential leak.

  Thus, A is the correct answer, as it represents an immediate, high-impact security risk .

• Question 230:

  The architecture team has been given a mandate to reduce the triage time of phishing incidents by 20%.

  Which of the following solutions will most likely help with this effort?

  A. Integrate a SOAR platform.
  B. Increase the budget to the security awareness program.
  C. Implement an EDR tool.
  D. Install a button in the mail clients to report phishing.
  A. Integrate a SOAR platform.

  ---

  Explanation

  SOAR (Security Orchestration, Automation, and Response) platforms help automate and orchestrate incident response tasks, including phishing triage.

  SOAR reduces triage time by automatically:

  Why Not Other Options?

  B (Increase security awareness) Helps prevent phishing but does NOT reduce triage time.

  C (Implement EDR) EDR is useful for endpoint protection but does NOT specifically reduce phishing triage time.

  D (Install a "Report Phishing" button) Helps report phishing but does NOT automate the triage process.

  References:

  CompTIA CySA+ CS0-003, Chapter 7: "Security Operations and Automation," Section: "SOAR and Incident Response Efficiency"