CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 361:

  A company is in the middle of an incident, and customer data has been breached.

  Which of the following should the company contact first?

  A. Media
  B. Public relations
  C. Law enforcement
  D. Legal
  D. Legal

• Question 362:

  A security analyst working for an airline is prioritizing vulnerabilities found on a system. The system has the following requirements:

  1. Can store periodically audited documents required for takeoffs and landings

  2. Can keep critical records regarding the company's operations

  3. Data can be made public upon request and authorization.

  Which of the following vulnerabilities should be remediated first?

  A. A broken access control vulnerability impacting data integrity
  B. A heap overflow vulnerability impacting the system's usability
  C. A DoS vulnerability impacting the system's availability
  D. A zero-day vulnerability impacting the system's confidentiality
  A. A broken access control vulnerability impacting data integrity

• Question 363:

  A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets.

  Which of the following contains the most useful information to produce this script?

  A. API documentation
  B. Protocol analysis captures
  C. MITRE ATT&CK reports
  D. OpenloC files
  C. MITRE ATT&CK reports

  ---

  Explanation

  A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. The most useful information to produce this script is MITRE ATT&CK reports. MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATT&CK reports provide detailed information on how different threat actors operate, what tools they use, what indicators they leave behind, and how to detect or mitigate their attacks. The other options are not as useful or relevant for this purpose.

  References:

  CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; (https://attack.mitre.org/)

• Question 364:

  An organization is concerned about the security posture of vendors with access to its facilities and systems. The organization wants to implement a vendor review process to ensure the policies implemented by vendors are in line with its own.

  Which of the following will provide the highest assurance of compliance?

  A. An in-house red-team report
  B. A vendor self-assessment report
  C. An independent third-party audit report
  D. Internal and external scans from an approved third-party vulnerability vendor
  C. An independent third-party audit report

• Question 365:

  An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract.

  Which of the following is the best step for the security team to take to ensure compliance with the request?

  A. Publicly disclose the request to other vendors
  B. Notify the departments involved to preserve potentially relevant information
  C. Establish a chain of custody starting with the attorney's request
  D. Back up the mailboxes on the server and provide the attorney with a copy
  B. Notify the departments involved to preserve potentially relevant information

  ---

  Explanation

  Upon receiving a legal hold notice, the first step is typically to ensure that all potentially relevant information is preserved. This usually involves notifying all custodians of the information, such as relevant departments and employees, to halt any data deletion or alteration processes that might normally occur. It's essential that they are aware of the need to preserve information related to the specific matter.

• Question 366:

  A security analyst IS comparing the results of the past and current active credentialed vulnerability scans:

  Past scan:

  

  Current scan:

  

  Which of the following should the analyst do next?

  A. Try to avoid a data leak by immediately creating a self-signed TLS certificate to patch the NTP system.
  B. Inform management about the risk that the company's assets will be used to perform attacks.
  C. Create a new entry on the risk register saying that all significant risks have been mitigated.
  D. Request an unauthenticated scan to confirm that vulnerabilities have been patched.
  B. Inform management about the risk that the company's assets will be used to perform attacks.

• Question 367:

  A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application.

  Which of the following actions should a SOC analyst take first after receiving the report?

  A. Implement a vulnerability scan to determine whether the environment is at risk.
  B. Block the IP addresses and domains from the report in the web proxy and firewalls.
  C. Verify whether the information is relevant to the organization.
  D. Analyze the web application logs to identify any suspicious or malicious activity.
  C. Verify whether the information is relevant to the organization.

  ---

  Explanation

  Before taking any action, the SOC analyst should first verify if the Indicators of Compromise (IoC) and Tactics, Techniques, and Procedures (TTPs) reported are relevant to the organization's environment. This involves checking if the vulnerable application or version is actually in use. As per CompTIA's CySA+ guidelines, relevance verification helps in prioritizing resources and response actions effectively, ensuring that time is not wasted on threats that do not impact the organization. Options A, B, and D are important subsequent steps if the threat is deemed relevant.

• Question 368:

  An analyst is examining events in multiple systems but is having difficulty correlating data points.

  Which of the following is most likely the issue with the system?

  A. Access rights
  B. Network segmentation
  C. Time synchronization
  D. Invalid playbook
  C. Time synchronization

  ---

  Explanation

  Time synchronization is the process of ensuring that all systems in a network have the same accurate time, which is essential for correlating data points from different sources. If the system has an issue with time synchronization, the analyst may have difficulty matching events that occurred at the same time or in a specific order. Access rights, network segmentation, and invalid playbook are not directly related to the issue of correlating data points.

  Verified References: [CompTIA CySA+ CS0-002 Certification Study Guide], page

• Question 369:

  Which of the following responsibilities does the legal team have during an incident management event? (Select two).

  A. Coordinate additional or temporary staffing for recovery efforts.
  B. Review and approve new contracts acquired as a result of an event.
  C. Advise the incident response team on matters related to regulatory reporting.
  D. Ensure all system security devices and procedures are in place.
  E. Conduct computer and network damage assessments for insurance.
  F. Verify that all security personnel have the appropriate clearances.
  B. Review and approve new contracts acquired as a result of an event.
  C. Advise the incident response team on matters related to regulatory reporting.

  ---

  Explanation

  The legal team plays a crucial role in managing the legal and compliance aspects of incident response. They review and approve contracts (B) for emergency services, like incident response firms, and provide guidance on regulatory reporting (C), ensuring the organization meets compliance requirements. According to CompTIA Security+ guidelines, legal teams focus on regulatory and contractual matters rather than operational aspects like staffing (A) or security procedures (D).

• Question 370:

  A network security analyst for a large company noticed unusual network activity on a critical system.

  Which of the following tools should the analyst use to analyze network traffic to search for malicious activity?

  A. WAF
  B. Wireshark
  C. EDR
  D. Nmap
  B. Wireshark

  ---

  Explanation

  Wireshark is a network protocol analyzer that allows analysts to capture and inspect data packets traveling through a network. This makes it ideal for investigating unusual network activity, as it provides detailed insights into the nature and content of network traffic. In this case, Wireshark can help identify potentially malicious packets and understand the nature of the observed traffic. Options A (WAF) and C (EDR) are primarily used for monitoring and protecting web applications and endpoints, respectively, and Nmap (D) is typically used for network discovery and mapping, not detailed traffic analysis. According to CompTIA CySA+, packet analysis tools like Wireshark are invaluable for deep-dive investigations into network anomalies.