CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 341:

  A user clicks on a malicious adware link, and the malware successfully downloads to the machine. The malware has a script that invokes command-and-control activity.

  Which of the following actions is the best way to contain the incident without any additional impact?

  A. Disable the user account until the malware investigation is complete.
  B. Review EDR information to determine whether the file was detected and quarantined locally.
  C. Block the server on the proxy and firewall.
  D. Submit a recategorization update to the vendor.
  C. Block the server on the proxy and firewall.

• Question 342:

  An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft.

  Which of the following would be the best threat intelligence source to learn about this new campaign?

  A. Information sharing organization
  B. Blogs/forums
  C. Cybersecuritv incident response team
  D. Deep/dark web
  A. Information sharing organization

  ---

  Explanation

  An information sharing organization is a group or network of organizations that share threat intelligence, best practices, or lessons learned related to cybersecurity issues or incidents. An information sharing organization can help security analysts learn about new ransomware campaigns or other emerging threats, as well as get recommendations or guidance on how to prevent, detect, or respond to them. An information sharing organization can also help security analysts collaborate or coordinate with other organizations in the same industry or region that may face similar threats or challenges.

• Question 343:

  When starting an investigation, which of the following must be done first?

  A. Notify law enforcement
  B. Secure the scene
  C. Seize all related evidence
  D. Interview the witnesses
  B. Secure the scene

  ---

  Explanation

  The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

• Question 344:

  Which of the following ICS network protocols has no inherent security functions on TCP port 502?

  A. CIP
  B. DHCP
  C. SSH
  D. Modbus
  D. Modbus

  ---

  Explanation

  Modbus is an industrial control system (ICS) network protocol that is used for communication between devices such as sensors, controllers, actuators, and monitors. Modbus has no inherent security functions on TCP port 502, which is the default port for Modbus TCP/IP communication. Modbus does not provide any encryption, authentication, or integrity protection for the data transmitted over the network, making it vulnerable to various attacks such as replay, modification, spoofing, or denial-of-service.

• Question 345:

  An international company is implementing a marketing campaign for a new product and needs a security analyst to perform a threat-hunting process to identify possible threat actors.

  Which of the following should be the analyst's primary focus?

  A. Hacktivists
  B. Organized crime
  C. Nation-states
  D. Insider threats
  B. Organized crime

• Question 346:

  A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

  

  Which of the following hosts should be patched first, based on the metrics?

  A. host01
  B. host02
  C. host03
  D. host04
  C. host03

  ---

  Explanation

  Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can be patched later.

• Question 347:

  An employee received a phishing email that contained malware targeting the company.

  Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information?

  A. Upload the malware to the VirusTotal website
  B. Share the malware with the EDR provider
  C. Hire an external consultant to perform the analysis
  D. Use a local sandbox in a microsegmented environment
  D. Use a local sandbox in a microsegmented environment

  ---

  Explanation

  Comprehensive Detailed Explanation:To safely analyze malware while avoiding unintended disclosure of company information, it is best to use a local sandbox in a microsegmented environment. Here's why:

  A. Upload the malware to the VirusTotal website

  B. Share the malware with the EDR provider

  C. Hire an external consultant to perform the analysis

  D. Use a local sandbox in a microsegmented environment References: NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops. MITRE ATT&CK: Techniques and recommendations for malware analysis in isolated environments.

• Question 348:

  A SOC manager is establishing a reporting process to manage vulnerabilities.

  Which of the following would be the best solution to identify potential loss incurred by an issue?

  A. Trends
  B. Risk score
  C. Mitigation
  D. Prioritization
  B. Risk score

  ---

  Explanation

  A risk score is a numerical value that represents the potential impact and likelihood of a vulnerability being exploited. It can help to identify the potential loss incurred by an issue and prioritize remediation efforts accordingly.

  https://www.comptia.org/training/books/cysa-cs0-003-study-guide

• Question 349:

  A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host.

  Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

  A. /etc/shadow
  B. curl localhost
  C. ; printenv
  D. cat /proc/self/
  A. /etc/shadow

  ---

  Explanation

  /etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a ulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

  https://www.comptia.org/certifications/cybersecurity-analyst

  https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

• Question 350:

  Which of the following risk management decisions should be considered after evaluating all other options?

  A. Transfer
  B. Acceptance
  C. Mitigation
  D. Avoidance
  B. Acceptance

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Explanation:Risk acceptance is the decision to accept the risk's consequences when mitigation, transfer, or avoidance are not feasible or cost-effective. It is chosen when the residual risk aligns with the organization's risk appetite. This step occurs after thoroughly assessing other options.

  References:

  13: Risk Management Principles) CompTIA CySA+ Study Guide (Chapter

  2: Risk Management, Page 85)