CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 481:

  After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request.

  Which of the following risk management principles did the CISO select?

  A. Avoid
  B. Transfer
  C. Accept
  D. Mitigate
  A. Avoid

  ---

  Explanation

  Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.

• Question 482:

  Which of the following is the best technical method to protect sensitive data at an organizational level?

  A. Deny all traffic on port 8080 with sensitive information on the VLAN.
  B. Develop a Python script to review email traffic for PII.
  C. Employ a restrictive policy for the use and distribution of sensitive information.
  D. Implement a DLP for all egress and ingress of sensitive information on the network.
  D. Implement a DLP for all egress and ingress of sensitive information on the network.

• Question 483:

  A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic.

  Which of the following would best meet this requirement?

  A. External
  B. Agent-based
  C. Non-credentialed
  D. Credentialed
  B. Agent-based

  ---

  Explanation

  Agent-based vulnerability scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only the results are transmitted over the network. Agent-based vulnerability scanning can also provide more accurate and up-to-date results, as the agents can scan continuously or ondemand, regardless of the system or network status or location.

• Question 484:

  In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account.

  Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

  A. Increase the granularity of log-on event auditing on all devices.
  B. Enable host firewall rules to block all outbound traffic to TCP port 3389.
  C. Configure user account lockout after a limited number of failed attempts.
  D. Implement a firewall block for the IP address of the remote system.
  E. Install a third-party remote access tool and disable RDP on all devices.
  F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.
  C. Configure user account lockout after a limited number of failed attempts.
  F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

  ---

  Explanation

  To mitigate brute-force attacks, implementing an account lockout policy (C) prevents continuous attempts by locking the account after a set number of failed logins. Blocking inbound connections on TCP port 3389 (RDP) from untrusted IP addresses (F) limits access, reducing the attack surface. According to CompTIA Security+, these controls effectively prevent unauthorized access. While blocking specific IPs (D) or disabling RDP (E) can also help, the lockout and firewall rules provide broader, proactive protection against this attack type.

• Question 485:

  An organization is preparing for a disaster recovery exercise.

  Which of the following actions should be implemented first?

  A. Gather all internal stakeholders and review the actions according to the defined incident playbook.
  B. Coordinate the supporting staff for the recovery process to ensure availability at the recovery site.
  C. Ensure that the vendor for the disaster recovery site is scheduled to support the recovery.
  D. Identify a business-critical system and test by failing over to the disaster recovery location.
  A. Gather all internal stakeholders and review the actions according to the defined incident playbook.

• Question 486:

  A security analyst observed the following activity from a privileged account:

  1. Accessing emails and sensitive information

  2. Audit logs being modified

  3. Abnormal log-in times

  Which of the following best describes the observed activity?

  A. Irregular peer-to-peer communication
  B. Unauthorized privileges
  C. Rogue devices on the network
  D. Insider attack
  D. Insider attack

  ---

  Explanation

  The observed activity from a privileged account indicates an insider attack, which is when a trusted user or employee misuses their access rights to compromise the security of the organization. Accessing emails and sensitive information, modifying audit logs, and logging in at abnormal times are all signs of malicious behavior by a privileged user who may be trying to steal, tamper, or destroy data, or cover their tracks. An insider attack can cause significant damage to the organization's reputation, operations, and compliance 12.

  References:

  The Privileged Identity Playbook Guides Management of Privileged User Accounts, How to Track Privileged Users' Activities in Active Directory

• Question 487:

  An after-action review of a ransomware attack on a company identified deficiencies in responsiveness and consistency.

  Which of the following choices would best facilitate improvement of these deficiencies?

  A. Leverage a SIEM.
  B. Utilize threat intelligence sharing.
  C. Source multiple threat feeds.
  D. Implement SOAR.
  D. Implement SOAR.

• Question 488:

  A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

  

  Which of the following systems should be prioritized for patching?

  A. brown
  B. grey
  C. blane
  D. sullivan
  C. blane

  ---

  Explanation

  The system "blane" with the vulnerability name "snakedoctor" should be prioritized for patching as it has a network attack vector (AV:N), low attack complexity (AC:L), and high availability (A:H). These metrics indicate that it would be relatively easy to exploit this vulnerability over the internet, and the system is highly available.

  References:

  According to the CVSS v3.1 Specification Document, the exploitability metrics for CVSS are Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope. These metrics measure how the vulnerability is accessed, the complexity of the attack, and the level of interaction and privileges required to exploit the vulnerability. The image shows a table with the values of these metrics for each system and vulnerability. Based on these values, the system "blane" has the highest exploitability score, as it has the most favorable conditions for an attacker. The other systems have either a lower attack vector, higher attack complexity, or lower availability, which make them less exploitable. Therefore, the system "blane" should be patched first.

• Question 489:

  An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following:

  Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'

  Which of the following is possibly occurring?

  A. Persistence
  B. Privilege escalation
  C. Credential harvesting
  D. Defense evasion
  D. Defense evasion

  ---

  Explanation

  Defense evasion is the technique of avoiding detection or prevention by security tools or mechanisms. In this case, the freeware program is likely a malware that generates random DNS queries to communicate with a command and control server or exfiltrate data. The command Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig' is used to add an exclusion path to Windows Defender, which is a built-in antivirus software, to prevent it from scanning the malware folder.

  References:

  CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 204

  CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 212. pr

• Question 490:

  An analyst received an alert regarding an application spawning a suspicious command shell process. Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

  

  Which of the following was the suspicious event able to accomplish?

  A. Impair defenses.
  B. Establish persistence.
  C. Bypass file access controls.
  D. Implement beaconing.
  A. Impair defenses.