CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 501:

  An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources.

  Which of the following is the best step to preserve evidence?

  A. Disable the user's network account and access to web resources.
  B. Make a copy of the files as a backup on the server.
  C. Place a legal hold on the device and the user's network share.
  D. Make a forensic image of the device and create a SHA-1 hash.
  D. Make a forensic image of the device and create a SHA-1 hash.

  ---

  Explanation

  Making a forensic image of the device and creating a SRA-1 hash is the best step to preserve evidence, as it creates an exact copy of the device's data and verifies its integrity. A forensic image is a bit-by-bit copy of the device's storage media, which preserves all the information on the device, including deleted or hidden files. A SRA-I hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-1 hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence's authenticity.

  https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/

  https://swailescomputerforensics.com/digital-forensics-imaging-hash-value/

• Question 502:

  A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data.

  Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

  A. Credentialed network scanning
  B. Passive scanning
  C. Agent-based scanning
  D. Dynamic scanning
  C. Agent-based scanning

  ---

  Explanation

  Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

• Question 503:

  A list of loCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe.

  Which of the following best describes the result if security teams add this indicator to their detection signatures?

  A. This indicator would fire on the majority of Windows devices.
  B. Malicious files with a matching hash would be detected.
  C. Security teams would detect rogue svchost. exe processesintheirenvironment.
  D. Security teams would detect event entries detailing executionofknown-malicioussvchost.exe processes.
  A. This indicator would fire on the majority of Windows devices.

  ---

  Explanation

  Adding the SHA-256 hash of a legitimate Microsoft-signed binary like svchost.exe to detection signatures would result in the indicator firing on the majority of Windows devices. Svchost.exe is a common and legitimate system process used by Windows, and using its hash as an indicator of compromise (IOC) would generate numerous false positives, as it would match the legitimate instances of svchost.exe running on all Windows systems.

• Question 504:

  An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams.

  Based on this intelligence, which of the following BEST explains alternate data streams?

  A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources.
  B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users.
  C. A Windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file.
  D. A Windows attribute that can be used by attackers to hide malicious files within system memory.
  C. A Windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file.

• Question 505:

  Alerts from the security dashboard are reporting a cloud-based host is suspected to be corrupt. The OS is not loading. The initial investigation concludes that the OS files were modified.

  Which of the following security controls provided the report?

  A. FIM
  B. DLP
  C. NIDS
  D. API gateway
  A. FIM

• Question 506:

  A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

  

  Which of the following should be completed first to remediate the findings?

  A. Ask the web development team to update the page contents
  B. Add the IP address allow listing for control panel access
  C. Purchase an appropriate certificate from a trusted root CA
  D. Perform proper sanitization on all fields
  D. Perform proper sanitization on all fields

  ---

  Explanation

  The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before processing or storing it on a system or application. Sanitization can help prevent various types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or data to execute malicious scripts, commands, or queries on a system or application. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment, which is XSS.

• Question 507:

  A security analyst needs to identify a computer based on the following requirements to be mitigated:

  The attack method is network-based with low complexity.

  No privileges or user action is needed.

  The confidentiality and availability level is high, with a low integrity level.

  Given the following CVSS 3.1 output:

  Computer1: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

  Computer2: CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

  Computer3: CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

  Computer4: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

  Which of the following machines should the analyst mitigate?

  A. Computer1
  B. Computer2
  C. Computer3
  D. Computer4
  D. Computer4

  ---

  Explanation

  Comprehensive Detailed Explanation:To match the mitigation criteria, we analyze each machine's CVSS (Common Vulnerability Scoring System) attributes:

  Attack Vector (AV): N for network (matches the requirement of network-based attack).

  Attack Complexity (AC): L for low (meets the requirement for low complexity).

  Privileges Required (PR): N for none (indicating no privileges are needed).

  User Interaction (UI): N for none (matches the requirement that no user action is needed).

  Confidentiality (C), Integrity (I), and Availability (A): Requires high confidentiality and availability with low integrity.

  From these criteria:

  Computer1 requires user interaction (UI:R), which disqualifies it. Computer2 has a local attack vector (AV:L), which disqualifies it for a network-based attack.

  Computer3 has a high attack complexity (AC:H), which does not meet the low complexity requirement.

  Computer4 meets all criteria: network attack vector, low complexity, no privileges, no user interaction, and appropriate confidentiality, integrity, and availability levels.

  Thus, Computer4 is the correct answer.

  References:

  NIST NVD (National Vulnerability Database): CVSS vector standards. CVSS 3.1 User Guide: Explanation of each CVSS metric and its application in vulnerability prioritization.

• Question 508:

  HOTSPOT

  A company recently experienced a security incident. The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

  INSTRUCTIONS

  Part 1

  Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

  Part 2

  Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used.

  

  Firewall log:

  

  

  File integrity Monitoring Report:

  

  

  Malware domain list:

  

  Vulnerability Scan Report:

  

  

  Phishing Email:

  

  

  

  ---

  

• Question 509:

  Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

  A. Risk register
  B. Vulnerability assessment
  C. Penetration test
  D. Compliance report
  A. Risk register

  ---

  Explanation

  A risk register is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence. A risk register is a document that records the details of all the risks identified in a project or an organization, such as their sources, causes, consequences, probabilities, impacts, and mitigation strategies. A risk register can help the security team to prioritize the risks based on their severity and urgency, and to monitor and control them throughout the project or the organization's lifecycle 12. A vulnerability assessment, a penetration test, and a compliance report are all methods or outputs of identifying and evaluating the threats and vulnerabilities, but they are not tools for mapping, tracking, and mitigating them 345.

  References:

  What is a Risk Register? | Smartsheet, Risk Register: Definition & Example, Vulnerability Assessment vs. Penetration Testing: What's the Difference?, What is a Penetration Test and How Does It Work?, What is a Compliance Report? | Definition, Types, and Examples

• Question 510:

  Which of the following threat-hunting concepts is most concerned with identifying the behaviors of the bad actor?

  A. Threat intelligence sharing
  B. Indicators of compromise
  C. Insider threat analysis
  D. Tactics, techniques, and procedures
  D. Tactics, techniques, and procedures