CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 321:

  While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems.

  Which of the following should be checked first?

  A. If appropriate logging levels are set
  B. NTP configuration on each system
  C. Behavioral correlation settings
  D. Data normalization rules
  B. NTP configuration on each system

  ---

  Explanation

  The NTP configuration on each system should be checked first, as it is essential for ensuring accurate and consistent time stamps across different systems. NTP is the Network Time Protocol, which is used to synchronize the clocks of computers over a network. NTP uses a hierarchical system of time sources, where each level is assigned a stratum number. The most accurate time sources, such as atomic clocks or GPS receivers, are at stratum 0, and the devices that synchronize with them are at stratum 1, and so on. NTP clients can query multiple NTP servers and use algorithms to select the best time source and adjust their clocks accordingly 1. If the NTP configuration is not consistent or correct on each system, the time stamps of the logs and events may differ, making it difficult to correlate incidents across different systems. This can affect the security analysis and correlation of events, as well as the compliance and auditing of the network 23.

  References:

  How the Windows Time Service Works, Time Synchronization - All You Need To Know, What is SIEM? | Microsoft Security

• Question 322:

  Which of the following evidence collection methods is most likely to be acceptable in court cases?

  A. Copying all access files at the time of the incident
  B. Creating a file-level archive of all files
  C. Providing a full system backup inventory
  D. Providing a bit-level image of the hard drive
  D. Providing a bit-level image of the hard drive

• Question 323:

  A critical server hosting final exams for an educational institution fails while students are taking their exams. The final exam deadline is in 16 hours.

  Which of the following is the best source for guidance on remediation for the IT team?

  A. MOU
  B. KPI
  C. SLA
  D. BCP
  D. BCP

• Question 324:

  An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins.

  Which of the following best represents what occurred?

  A. False positive
  B. True negative
  C. False negative
  D. True positive
  C. False negative

• Question 325:

  A security analyst is reviewing the logs and notices the following entries:

  

  Which of the following most likely occurred?

  A. LDAP injection
  B. Clickjacking
  C. XSS
  D. SQLi
  D. SQLi

• Question 326:

  An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work.

  Which of the following is the most likely reason the firewall feed stopped working?

  A. The firewall service account was locked out.
  B. The firewall was using a paid feed.
  C. The firewall certificate expired.
  D. The firewall failed open.
  C. The firewall certificate expired.

  ---

  Explanation

  The firewall certificate expired. If the firewall uses a certificate to authenticate and encrypt the feed, and the certificate expires, the feed will stop working until the certificate is renewed or replaced. This can affect the data enrichment process and the security analysis.

  References:

  CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 161.

• Question 327:

  During normal security monitoring activities, the following activity was observed:

  cd C:\Users\Documents\HR\Employees takeown/f .*

  SUCCESS:

  Which of the following best describes the potentially malicious activity observed?

  A. Registry changes or anomalies
  B. Data exfiltration
  C. Unauthorized privileges
  D. File configuration changes
  C. Unauthorized privileges

  ---

  Explanation

  The takeown command is used to take ownership of a file or folder that previously was denied access to the current user or group 12. The activity observed indicates that someone has taken ownership of all files and folders under the C:\Users\Documents\HR\Employees directory, which may contain sensitive or confidential information. This could be a sign of unauthorized privileges, as the user or group may not have the legitimate right or need to access those files or folders. Taking ownership of files or folders could also enable the user or group to modify or delete them, which could affect the integrity or availability of the data.

• Question 328:

  A company wants to grant access to identity administrators who are completing similar tasks.

  Which of the following access control models should the company use?

  A. Mandatory access
  B. Role-based access
  C. Attribute-based access
  D. Discretionary access
  B. Role-based access

• Question 329:

  A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting.

  Which of the following tools would the security team most likely recommend to perform this test?

  A. Has heat
  B. OpenVAS
  C. OWASP ZAP
  D. Nmap
  C. OWASP ZAP

  ---

  Explanation

  OWASP ZAP (Zed Attack Proxy) is a tool recommended for quickly testing web applications for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. It is an open-source web application security scanner that helps identify security issues in web applications during the development and testing phases.

• Question 330:

  An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date.

  Which of the following best describes a security analyst's concern?

  A. Any discovered vulnerabilities will not be remediated.
  B. An outage of machinery would cost the organization money.
  C. Support will not be available for the critical machinery.
  D. There are no compensating controls in place for the OS.
  A. Any discovered vulnerabilities will not be remediated.

  ---

  Explanation

  As the OS that controls the business-critical machinery is approaching its end-of-life date, it means that the OS will no longer receive updates and security patches from the vendor. This leaves the OS and the machinery susceptible to potential security breaches and attacks that could exploit these unpatched vulnerabilities.