CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 411:

  A security analyst is viewing a recorded session that captured suspicious activity:

  scanning 192.168.10.10...

  scan timing: about 10% done...

  ...

  scan completed (4 host up); scanned 4 hosts in 1348 sec.

  HOSt Port State Service

  192.168.10.10 1 closed unknown

  192.168.10.20 1 closed unknown

  192.168.10.30 1 closed unknown

  192.168.10.40 1 closed unknown

  Which of the following best describes the activity shown?

  A. UDP scan
  B. SYN scan
  C. XMAS tree scan
  D. Half-open scan
  D. Half-open scan

• Question 412:

  A security analyst is investigating an unusually high volume of requests received on a web server. Based on the following command and output:

  access_log - [21/May/2024 13:19:06] "GET /newyddion HTTP/1.1" 404 -

  access_log - [21/May/2024 13:19:06] "GET /1970 HTTP/1.1" 404 -

  access_log - [21/May/2024 13:19:06] "GET /dopey HTTP/1.1" 404 -

  ...

  Which of the following best describes the activity that the analyst will confirm?

  A. SQL injection
  B. Directory brute force
  C. Remote command execution
  D. Cross-site scripting
  B. Directory brute force

• Question 413:

  A security analyst must review a suspicious email to determine its legitimacy.

  Which of the following should be performed? (Choose two.)

  A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level
  B. Review the headers from the forwarded email
  C. Examine the recipient address field
  D. Review the Content-Type header
  E. Evaluate the HELO or EHLO string of the connecting email server
  F. Examine the SPF, DKIM, and DMARC fields from the original email
  B. Review the headers from the forwarded email
  F. Examine the SPF, DKIM, and DMARC fields from the original email

  ---

  Explanation

  Review the headers from the forwarded email: Examining the email headers can provide crucial information about the email's source, path, and any intermediaries it went through. This information can help identify signs of spoofing or suspicious behavior.

  Examine the SPF, DKIM, and DMARC fields from the original email: These three mechanisms (Sender Policy Framework - SPF, DomainKeys Identified Mail - DKIM, and Domain-based Message Authentication, Reporting, and Conformance - DMARC) are used to authenticate the sender's domain and reduce the likelihood of email spoofing. Checking these fields can provide insights into the authenticity of the email.

• Question 414:

  A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection.

  Which of the following is the most likely cause?

  A. A local red team member is enumerating the local RFC1918 segment to enumerate hosts.
  B. A threat actor has a foothold on the network and is sending out control beacons.
  C. An administrator executed a new database replication process without notifying the SOC.
  D. An insider threat actor is running Responder on the local segment, creating traffic replication.
  C. An administrator executed a new database replication process without notifying the SOC.

  ---

  Explanation

  Port 1433 is commonly used by Microsoft SQL Server, which is a database management system. A spike in traffic on this port between two IP addresses on opposite sides of a WAN connection could indicate a database replication process, which is a way of copying and distributing data from one database server to another. This could be a legitimate activity performed by an administrator, but it should be communicated to the security operations center (SOC) to avoid confusion and false alarms.

  References:

  CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 3: Security Operations, page 107

  CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations, page 153.

• Question 415:

  Which of the following would help to minimize human engagement and aid in process improvement in security operations?

  A. OSSTMM
  B. SIEM
  C. SOAR
  D. QVVASP
  C. SOAR

  ---

  Explanation

  SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.

• Question 416:

  The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised.

  Which of the following communication plans should the CEO initiate?

  A. Alert department managers to speak privately with affected staff.
  B. Schedule a press release to inform other service provider customers of the compromise.
  C. Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.
  D. Verify legal notification requirements of PII and SPII in the legal and human resource departments.
  D. Verify legal notification requirements of PII and SPII in the legal and human resource departments.

  ---

  Explanation

  When a confidential trade secret has been compromised, it's crucial to first verify any legal notification requirements, especially if the compromised information includes Personally Identifiable Information (PII) or Sensitive Personal Identifiable Information (SPII). This step ensures that the organization complies with relevant laws and regulations, which may mandate specific actions or disclosures. Involving the legal and human resources departments helps to ensure that the response is both legally compliant and appropriately managed from an internal perspective.

• Question 417:

  A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

  1. Bursts of network utilization occur approximately every seven days.

  2. The content being transferred appears to be encrypted or obfuscated.

  3. A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

  4. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

  5. Single file sizes are 10GB.

  Which of the following describes the most likely cause of the issue?

  A. Memory consumption
  B. Non-standard port usage
  C. Data exfiltration
  D. System update
  E. Botnet participant
  C. Data exfiltration

  ---

  Explanation

  data exfiltration is the unauthorized transfer of data from an " destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud indicates a possible command and control channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating that large amounts of data are being collected and compressed before being exfiltrated.

• Question 418:

  While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

  

  this finding, which of the following would be most appropriate for the analyst to recommend to the network engineer?

  A. Reconfigure the device to support only connections leveraging TLSv1.2.
  B. Obtain a new self-signed certificate and select AES as the hashing algorithm.
  C. Replace the existing certificate with a certificate that uses only MD5 for signing.
  D. Use only signed certificates with cryptographically secure certificate sources.
  D. Use only signed certificates with cryptographically secure certificate sources.

• Question 419:

  A security analyst identifies a device on which different malware was detected multiple times, even after the systems were scanned and cleaned several times.

  Which of the following actions would be most effective to ensure the device does not have residual malware?

  A. Update the device and scan offline in safe mode.
  B. Replace the hard drive and reimage the device.
  C. Upgrade the device to the latest OS version.
  D. Download a secondary scanner and rescan the device.
  B. Replace the hard drive and reimage the device.

  ---

  Explanation

  Reimaging the device is the most effective way to eliminate persistent malware because some sophisticated malware, such as rootkits and firmware-level threats, can survive traditional scans and removals.

  If a system keeps getting reinfected after cleaning, it may indicate a deeply embedded persistent threat, possibly in:

  Why Not Other Options?

  A (Update and scan in safe mode) Might help, but if malware is persistent, it will likely return.

  C (Upgrade OS) Does not necessarily remove malware; some malware survives OS upgrades.

  D (Secondary scanner) Useful for detection but does not guarantee complete removal.

  Best Practice:

  Replace the hard drive to eliminate firmware-level infections.

  Reimage the system from a known-good source.

  Update the OS and security patches before reconnecting to the network.

  References:

  CompTIA CySA+ CS0-003, Chapter 4: "Incident Response and Forensics," Section: "Malware Removal and System Recovery."

• Question 420:

  A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies are easy to:

  A. parameterize
  B. decode
  C. guess
  D. decrypt
  C. guess

  ---

  Explanation

  Time-based cookies are a security concern because they are often easier to guess. This vulnerability arises because time-based cookies typically rely on predictable elements, such as the current timestamp, to generate session identifiers. If an attacker can predict or determine the time at which the cookie was created, they may be able to guess the session ID, leading to unauthorized access. For example, if a session ID is based solely on the server's current time when the session is created, an attacker could use trial and error to guess the time value and, therefore, the session ID. This makes the session susceptible to session hijacking attacks, where an attacker can take over a user's session by guessing the

  session identifier.

  In contrast, secure session management practices involve using complex, random, and unpredictable values for session IDs to prevent them from being easily guessed or predicted.