CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 391:

  An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

  Which of the following is the most likely root cause of the incident?

  A. USB drop
  B. LFI
  C. Cross-site forgery
  D. SQL injection
  A. USB drop

  ---

  Explanation

  A USB drop attack is a common method for delivering ransomware, where an attacker leaves infected USB drives in strategic locations, tricking employees into plugging them into corporate devices.

  Option B (LFI - Local File Inclusion) exploits web applications, but the scenario lacks network intrusion indicators.

  Option C (Cross-site request forgery - CSRF) is used for exploiting authenticated web sessions, not ransomware delivery.

  Option D (SQL injection) is used for database exploitation, not file encryption malware.

  Thus, A (USB drop) is the correct answer, as physical malware introduction is a known ransomware attack vector.

• Question 392:

  A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

  

  Which of the following log entries provides evidence of the attempted exploit?

  A. Log entry 1
  B. Log entry 2
  C. Log entry 3
  D. Log entry 4
  A. Log entry 1

• Question 393:

  An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack.

  Which of the following logs should the team review first?

  A. CDN
  B. Vulnerability scanner
  C. DNS
  D. Web server
  C. DNS

  ---

  Explanation

  A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a "th a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources. Official

  https://www.eccouncil.org/cybersecurity-exchange/threatintelligence/cyber-kill-chain-seven-steps-cyberattack/

• Question 394:

  An analyst needs to provide recommendations based on a recent vulnerability scan:

  

  Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

  A. SMB use domain SID to enumerate users
  B. SYN scanner
  C. SSL certificate cannot be trusted
  D. Scan not performed with admin privileges
  D. Scan not performed with admin privileges

  ---

  Explanation

  This is because scanning without admin privileges can limit the scope and accuracy of the vulnerability scan, and potentially miss some critical vulnerabilities that require higher privileges to detect. According to the OWASP Vulnerability Management Guide1, "scanning without administrative privileges will result in a large number of false negatives and an incomplete scan". Therefore, the analyst should recommend addressing this issue to ensure potential vulnerabilities are identified.

• Question 395:

  An analyst investigated a website and produced the following:

  

  Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

  A. nmap -sS -T4 -F insecure.org
  B. nmap -o insecure.org
  C. nmap -sV -T4 -F insecure.org
  D. nmap -A insecure.org
  C. nmap -sV -T4 -F insecure.org

• Question 396:

  Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

  A. Command and control
  B. Data enrichment
  C. Automation
  D. Single sign-on
  C. Automation

  ---

  Explanation

  Automation is the best concept to describe the example, as it reflects the use of technology to perform tasks or processes without human intervention. Automation can help to improve efficiency, accuracy, consistency, and scalability of various operations, such as identity and access management (IAM). IAM is a security framework that enables organizations to manage the identities and access rights of users and devices across different systems and applications. IAM can help to ensure that only authorized users and devices can access the appropriate resources at the appropriate time and for the appropriate purpose. IAM can involve various tasks or processes, such as authentication, authorization, provisioning, deprovisioning, auditing, or reporting. Automation can help to simplify and streamline these tasks or processes by using software tools or scripts that can execute predefined actions or workflows based on certain triggers or conditions. For example, automation can help to create, update, or delete user accounts in bulk based on a file or a database, rather than manually entering or modifying each account individually. The example in the question shows that an API is used to insert bulk access requests from a file into an identity management system. An API (Application Programming Interface) is a set of rules or specifications that defines how different software components or systems can communicate and exchange data with each other. An API can help to enable automation by providing a standardized and consistent way to access and manipulate data or functionality of a software component or system. The example in the question shows that an API is used to automate the process of inserting bulk access requests from a file into an identity management system, rather than manually entering each request one by one. The other options are not correct, as they describe different concepts or techniques. Command and control is a term that refers to the ability of an attacker to remotely control a compromised system or device, such as using malware or backdoors. Command and control is not related to what is described in the example. Data enrichment is a term that refers to the process of enhancing or augmenting existing data with additional information from external sources, such as adding demographic or behavioral attributes to customer profiles. Data enrichment is not related to what is described in the example. Single sign-on is a term that refers to an authentication method that allows users to access multiple systems or applications with one set of credentials, such as using a single username and password for different websites or services. Single sign-on is not related to what is described in the example.

• Question 397:

  HOTSPOT

  The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS.

  If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.

  If the vulnerability is valid, the analyst must remediate the finding.

  After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

  INSTRUCTIONS

  STEP 1: Review the information provided in the network diagram.

  STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  Step 1

  

  

  

  

  

  

• Question 398:

  A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time.

  Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

  A. Integrate an IT service delivery ticketing system to track remediation and closure
  B. Create a compensating control item until the system can be fully patched
  C. Accept the risk and decommission current assets as end of life
  D. Request an exception and manually patch each system
  A. Integrate an IT service delivery ticketing system to track remediation and closure

  ---

  Explanation

  Integrating an IT service delivery ticketing system to track remediation and closure is the best approach to ensure all vulnerabilities are patched in accordance with the SLA. A ticketing system is a software tool that helps manage, organize, and track the tasks and workflows related to IT service delivery, such as incident management, problem management, change management, and vulnerability management. A ticketing system can help the security team to prioritize, assign, monitor, and document the remediation of the vulnerabilities, and to ensure that they are completed within the specified time frame and quality standards. A ticketing system can also help the security team to communicate and collaborate with other teams, such as the IT operations team, the development team, and the business stakeholders, and to report on the status and progress of the remediation efforts 12. Creating a compensating control item, accepting the risk, and requesting an exception are not the best approaches to ensure all vulnerabilities are patched in accordance with the SLA, as they do not address the root cause of the problem, which is the large number of critical and high findings that require patching. These approaches may also introduce more risks or challenges for the security team, such as compliance issues, resource constraints, or business impacts3 .

  References:

  What is a Ticketing System? | Freshservice ITSM Glossary, Vulnerability Management Best Practices, Compensating Controls: An Impermanent Solution to an IT ... - Tripwire, [Risk Acceptance in Information Security - Infosec Resources], [Exception Management - ISACA] Reference: (https://phoenix.security/using-slas-for-better-vulnerability-management-remediation-improving-developers-workflow/)

• Question 399:

  During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content.

  Which of the following is the next step the analyst should take?

  A. Validate the binaries' hashes from a trusted source.
  B. Use file integrity monitoring to validate the digital signature
  C. Run an antivirus against the binaries to check for malware.
  D. Only allow binaries on the approve list to execute.
  A. Validate the binaries' hashes from a trusted source.

  ---

  Explanation

  " from a trusted source is the next step the analyst should take after discovering some binaries that are exhibiting abnormal behaviors and finding unexpected content in their strings. A hash is a fixed-length value that uniquely represents the contents of a file or message. By comparing the hashes of the binaries on the compromised machine with the hashes of the original or legitimate binaries from a trusted source, such as the software vendor or repository, the analyst can determine whether the binaries have been modified or replaced by malicious code. If the hashes do not match, it indicates that the binaries have been tampered with and may contain malware.

• Question 400:

  An organization has experienced a breach of customer transactions.

  Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

  A. PCI Security Standards Council
  B. Local law enforcement
  C. Federal law enforcement
  D. Card issuer
  D. Card issuer

  ---

  Explanation

  Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach. Official

  https://www.pcisecuritystandards.org/