CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 311:

  The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled.

  Which of the following should the organization utilize to best centralize the workload for the internal security team?

  (Select two).

  A. SOAR
  B. SIEM
  C. MSP
  D. NGFW
  E. XDR
  F. DLP
  A. SOAR
  B. SIEM

  ---

  Explanation

  SOAR (Security Orchestration, Automation and Response) and SIEM (Security Information and Event Management) are solutions that can help centralize the workload for the internal security team by collecting, correlating, and analyzing alerts from different sources, such as EDR. SOAR can also automate and streamline incident response workflows, while SIEM can provide dashboards and reports for security monitoring and compliance.

  References:

  What is EDR? Endpoint Detection & Response, How Does the Cyber Kill Chain Protect Against Attacks?

  What is EDR Solution?, EDR solutions secure diverse endpoints through central monitoring

• Question 312:

  A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program.

  Which of the following is the most appropriate product category for this purpose?

  A. SCAP
  B. SOAR
  C. UEBA
  D. WAF
  C. UEBA

  ---

  Explanation

  UEBA stands for User and Entity Behavior Analytics, which is a category of security products that use machine learning and statistical analysis to identify malicious actions by users or entities on a network. UEBA products can detect anomalous or suspicious behaviors that deviate from normal patterns or baselines, such as data exfiltration, privilege escalation, unauthorized access, insider threats, or compromised accounts. UEBA products can also provide alerts, reports, or recommendations for response actions based on the detected behaviors.

• Question 313:

  A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised.

  Which of the following steps should the administrator take next?

  A. Inform the internal incident response team.
  B. Follow the company's incident response plan.
  C. Review the lessons learned for the best approach.
  D. Determine when the access started.
  B. Follow the company's incident response plan.

  ---

  Explanation

  An incident response plan is a set of predefined procedures and guidelines that an organization follows when faced with a security breach or attack. An incident response plan helps to ensure that the organization can quickly and effectively contain, analyze, eradicate, and recover from the incident, as well as prevent or minimize the damage and impact to the business operations, reputation, and customers. An incident response plan also defines the roles and responsibilities of the incident response team, the communication channels and protocols, the escalation and reporting procedures, and the tools and resources available for the incident response. By following the company's incident response plan, the administrator can ensure that they are following the best practices and standards for handling a security incident, and that they are coordinating and collaborating with the relevant stakeholders and authorities. Following the company's incident response plan can also help to avoid or reduce any legal, regulatory, or contractual liabilities or penalties that may arise from the incident. The other options are not as effective or appropriate as following the company's incident response plan. Informing the internal incident response team (A) is a good step, but it should be done according to the company's incident response plan, which may specify who, when, how, and what to report. Reviewing the lessons learned for the best approach ?is a good step, but it should be done after the incident has been resolved and closed, not during the active response phase. Determining when the access started (D) is a good step, but it should be done as part of the analysis phase of the incident response plan, not before following the plan.

• Question 314:

  Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place.

  Which of the following incident management life cycle processes does this describe?

  A. Business continuity plan
  B. Lessons learned
  C. Forensic analysis
  D. Incident response plan
  B. Lessons learned

  ---

  Explanation

  The lessons learned process is the final stage of the incident management life cycle, where the incident team reviews the incident and evaluates the effectiveness of the response and the plans in place. The lessons learned report should include the who-what-when information and any recommendations for improvement

• Question 315:

  A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

  

  Which of the following vulnerabilities should be prioritized for remediation?

  A. 1
  B. 2
  C. 3
  D. 4
  D. 4

  ---

  Explanation

  Since the company is concerned with ensuring the accuracy of the data, the analyst must prioritize integrity over other data. Analyzing the values in the table, options A, B, C would be discarded as having an L or N impact

• Question 316:

  While reviewing system logs, a network administrator discovers the following entry:

  

  Which of the following occurred?

  A. An attempt was made to access a remote workstation.
  B. The PsExec services failed to execute.
  C. A remote shell failed to open.
  D. A user was trying to download a password file from a remote system.
  A. An attempt was made to access a remote workstation.

• Question 317:

  A security analyst is responding to an indent that involves a malicious attack on a network. Data closet.

  Which of the following best explains how are analyst should properly document the incident?

  A. Back up the configuration file for alt network devices
  B. Record and validate each connection
  C. Create a full diagram of the network infrastructure
  D. Take photos of the impacted items
  D. Take photos of the impacted items

  ---

  Explanation

  When documenting a physical incident in a network data closet, taking photos provides a clear and immediate record of the situation, which is essential for thorough incident documentation and subsequent investigation. Proper documentation of an incident in a data closet should include taking photos of the impacted items. This provides visual evidence and helps in understanding the physical context of the incident, which is crucial for a thorough investigation. Backing up configuration files, recording connections, and creating network diagrams, while important, are not the primary means of documenting the physical aspects of an incident.

• Question 318:

  An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained.

  Which of the following roles would MOST likely include these responsibilities?

  A. Data protection officer
  B. Data owner
  C. Backup administrator
  D. Data custodian
  E. Internal auditor
  D. Data custodian

  ---

  Explanation

  D. In this case, Data custodian, role would be the best fit because it includes responsibilities for protecting data, including securing, monitoring, and controlling access to it, as well as ensuring data is accurate, complete, and accessible when needed. Ensuring that backups are properly maintained would fall under the responsibilities of a data custodian, as they would be responsible for protecting data and ensuring its availability.

• Question 319:

  A security analyst is working on a suspicious email forwarded from a user. The email contains an attachment asking the user to open it.

  Which of the following should the security analyst review to best determine email authentication and its attack origin?

  A. DMARC
  B. SMTP
  C. Joe Sandbox
  D. URL rewriting
  A. DMARC

• Question 320:

  A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

  

  Which of the following vulnerability IDs should the analyst address first?

  A. 1
  B. 2
  C. 3
  D. 4
  B. 2

  ---

  Explanation

  The vulnerability with the highest CVSS score and an active exploit is Microsoft CVE-2021- 34527 (PrintNightmare). Although only present on two instances, its high severity (8.4) and exploitable nature make it a priority. PrintNightmare is a well-known remote code execution vulnerability, which can be a critical risk. According to CompTIA CySA+ and vulnerability management practices, prioritizing based on severity and exploitability is essential, even over the number of instances. Other vulnerabilities listed are less severe or lack active exploitation.