CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 371:

  An analyst reviews alerts that indicate a number of different users had a spike in login attempts from the same IP. Using the security information and event management (SIEM) system, the analyst finds that a number of users received the following email:

  Which of the following best describes this activity?

  A. URL shortening
  B. Whaling
  C. Spoofing
  D. Social engineering
  C. Spoofing

• Question 372:

  When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for over two days.

  Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

  A. Changes to system environment variables
  B. SMB network traffic related to the system process
  C. Recent browser history of the primary user
  D. Activities taken by PID 1024
  D. Activities taken by PID 1024

  ---

  Explanation

  The activities taken by the process with PID 1024 will provide the best insight into this potentially malicious process, based on the anomalous behavior. BGInfo.exe is a legitimate tool that displays system information on the desktop background, but it can also be used by attackers to gather information about the compromised host or to disguise malicious processes 12. By monitoring the activities of PID 1024, such as the files it accesses, the network connections it makes, or the commands it executes, the analyst can determine if the process is benign or malicious.

  References:

  bginfo.exe Windows process - What is it?, What is bginfo.exe? Is it Safe or a Virus? How to remove or fix it

• Question 373:

  A security analyst provides the management team with an after-action report for a security incident.

  Which of the following is the management team most likely to review in order to correct validated issues with the incident response processes?

  A. Tabletop exercise
  B. Lessons learned
  C. Root cause analysis
  D. Forensic analysis
  B. Lessons learned

• Question 374:

  A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed.

  Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

  A. Add the IP address to the EDR deny list.
  B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
  C. Implement a prevention policy for the IP on the WAF
  D. Activate the scan signatures for the IP on the NGFWs.
  A. Add the IP address to the EDR deny list.

  ---

  Explanation

  In this scenario, adding the IP address to the EDR (Endpoint Detection and Response) deny list is an immediate and effective way to block further reconnaissance activities from the malicious source. EDR solutions are designed to provide advanced endpoint security, including blocking specific IP addresses and preventing potentially harmful traffic. This proactive step aligns with CompTIA Cybersecurity Analyst (CySA+) best practices for threat prevention and response. While other options, such as using SIEM for monitoring (option B) or WAF policies (option C), provide additional layers of security, they do not directly block the threat in the same immediate way that adding the IP to the EDR deny list does.

• Question 375:

  A technician identifies a vulnerability on a server and applies a software patch.

  Which of the following should be the next step in the remediation process?

  A. Testing
  B. Implementation
  C. Validation
  D. Rollback
  C. Validation

  ---

  Explanation

  The next step in the remediation process after applying a software patch is validation. Validation is a process that involves verifying that the patch has been successfully applied, that it has fixed the vulnerability, and that it has not caused any adverse effects on the system or application functionality or performance. Validation can be done using various methods, such as scanning, testing, monitoring, or auditing.

• Question 376:

  Which of the following would an organization use to develop a business continuity plan?

  A. A diagram of all systems and interdependent applications
  B. A repository for all the software used by the organization
  C. A prioritized list of critical systems defined by executive leadership
  D. A configuration management database in print at an off-site location
  C. A prioritized list of critical systems defined by executive leadership

  ---

  Explanation

  A prioritized list of critical systems defined by executive leadership is the best option to use to develop a business continuity plan. A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company.

  The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster. A BCP should include a business impact analysis, which identifies the critical systems and processes that are essential for the continuity of the business operations, and the potential impacts of their disruption. The executive leadership should be involved in defining the critical systems and their priorities, as they have the strategic vision and authority to make decisions that affect the whole organization. A diagram of all systems and interdependent applications, a repository for all the software used by the organization, and a configuration management database in print at an off-site location are all useful tools for documenting and managing the IT infrastructure, but they are not sufficient to develop a comprehensive BCP that covers all aspects of the business continuity 4.

  References:

  What Is a Business Continuity Plan (BCP), and How Does It Work?, Business continuity plan (BCP) in 8 steps, with templates, Business continuity planning | Business Queensland, Understanding the Essentials of a Business Continuity Plan

• Question 377:

  Which of the following BEST explains the function of a managerial control?

  A. To scope the security planning, program development, and maintenance of the security life cycle
  B. To guide the development of training, education, security awareness programs, and system maintenance
  C. To implement data classification, risk assessments, security control reviews, and contingency planning
  D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
  C. To implement data classification, risk assessments, security control reviews, and contingency planning

  ---

  Explanation

  https://www.examtopics.com/discussions/comptia/view/84935-exam-cs0-002-topic-1-question-191-discussion/

• Question 378:

  Which of the following actions would an analyst most likely perform after an incident has been investigated?

  A. Risk assessment
  B. Root cause analysis
  C. Incident response plan
  D. Tabletop exercise
  B. Root cause analysis

  ---

  Explanation

  After an incident has been investigated, one of the most important actions is to perform a root cause analysis. Root cause analysis helps in identifying the underlying reasons or factors that led to the incident in the first place. By understanding the root causes, organizations can implement corrective actions to prevent similar incidents from occurring in the future. This analysis is crucial for improving the overall security posture and resilience of the organization.

  References:

  https://www.ibm.com/topics/incident-response

• Question 379:

  A security analyst is supporting an embedded software team.

  Which of the following is the best recommendation to ensure proper error handling at runtime?

  A. Perform static code analysis.
  B. Require application fuzzing.
  C. Enforce input validation.
  D. Perform a code review.
  C. Enforce input validation.

• Question 380:

  Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections.

  Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

  A. Delivery
  B. Reconnaissance
  C. Exploitation
  D. Weaponizatign
  D. Weaponizatign

  ---

  Explanation

  Weaponization is the stage of the Cyber Kill Chain where the threat actor creates or modifies a malicious tool to use against a target. In this case, the threat actor compiles and tests a malicious downloader, which is a type of weaponized malware.

  References:

  Cybersecurity 101, The Cyber Kill Chain: The Seven Steps of a Cyberattack