CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 531:

  A company is in the process of implementing a vulnerability management program.

  Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

  A. Non-credentialed scanning
  B. Passive scanning
  C. Agent-based scanning
  D. Credentialed scanning
  B. Passive scanning

  ---

  Explanation

  Passive scanning involves monitoring network traffic to identify vulnerabilities without actively probing or interacting with the devices. This method is relatively non-intrusive and can provide valuable information without directly affecting the systems.

  However, it's important to note that passive scanning might not identify all vulnerabilities, so a combination of passive scanning and periodic credentialed scanning might be a balanced approach to ensure accurate vulnerability assessment while minimizing disruption.

• Question 532:

  After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities.

  Which of the following risk management principles is the company exercising?

  A. Transfer
  B. Accept
  C. Mitigate
  D. Avoid
  C. Mitigate

  ---

  Explanation

  Mitigate is the best term to describe the risk management principle that the company is exercising, as it means to reduce the likelihood or impact of a risk. By implementing a patch management program to remediate vulnerabilities, the company is mitigating the threat of cyberattacks that could exploit those vulnerabilities and compromise the security or functionality of the systems. The other terms are not as accurate as mitigate, as they describe different risk management principles. Transfer means to shift the responsibility or burden of a risk to another party, such as an insurer or a contractor. Accept means to acknowledge the existence of a risk and decide not to take any action to reduce it, usually because the risk is low or the cost of mitigation is too high. Avoid means to eliminate the possibility of a risk by changing the plans or activities that could cause it, such as cancelling a project or discontinuing a service

  References:

  https://safetyculture.com/topics/risk-management/

• Question 533:

  To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization's cloud services.

  Which of the following security controls has the analyst configured?

  A. Preventive
  B. Corrective
  C. Directive
  D. Detective
  D. Detective

• Question 534:

  Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

  A. Review Of security requirements
  B. Compliance checks
  C. Decomposing the application
  D. Security by design
  C. Decomposing the application

  ---

  Explanation

  The OWASP Web Security Testing Guide (WSTG) includes a section on threat modeling, which is a structured approach to identify, quantify, and address the security risks associated with an application. The first step in the threat modeling process is decomposing the application, which involves creating use cases, identifying entry points, assets, trust levels, and data flow diagrams for the application. This helps to understand the application and how it interacts with external entities, as well as to identify potential threats and vulnerabilities 1. The other options are not part of the OWASP WSTG threat modeling process.

• Question 535:

  An analyst suspects cleartext passwords are being sent over the network.

  Which of the following tools would best support the analyst's investigation?

  A. OpenVAS
  B. Angry IP Scanner
  C. Wireshark
  D. Maltego
  C. Wireshark

• Question 536:

  During a recent site survey. an analyst discovered a rogue wireless access point on the network.

  Which of the following actions should be taken first to protect the network while preserving evidence?

  A. Run a packet sniffer to monitor traffic to and from the access point.
  B. Connect to the access point and examine its log files.
  C. Identify who is connected to the access point and attempt to find the attacker.
  D. Disconnect the access point from the network
  D. Disconnect the access point from the network

  ---

  Explanation

  A rogue access point is a wireless access point that has been installed on a network without the authorization or knowledge of the network administrator. A rogue access point can pose a serious security risk, as it can allow unauthorized users to access the network, intercept network traffic, or launch attacks against the network or its devices1234. The first action that should be taken to protect the network while preserving evidence is to disconnect the rogue access point from the network. This will prevent any further damage or compromise of the network by blocking the access point from communicating with other devices or users. Disconnecting the rogue access point will also preserve its state and configuration, which can be useful for forensic analysis and investigation. Disconnecting the rogue access point can be done physically by unplugging it from the network port or wirelessly by disabling its radio frequency 5.

  The other options are not the best actions to take first, as they may not protect the network or preserve evidence effectively.

  Option A is not the best action to take first, as running a packet sniffer to monitor traffic to and from the access point may not stop the rogue access point from causing harm to the network. A packet sniffer is a tool that captures and analyzes network packets, which are units of data that travel across a network. A packet sniffer can be useful for identifying and troubleshooting network problems, but it may not be able to prevent or block malicious traffic from a rogue access point.

  Moreover, running a packet sniffer may require additional time and resources, which could delay the response and mitigation of the incident 5.

  Option B is not the best action to take first, as connecting to the access point and examining its log files may not protect the network or preserve evidence. Connecting to the access point may expose the analyst's device or credentials to potential attacks or compromise by the rogue access point. Examining its log files may provide some information about the origin and activity of the rogue access point, but it may also alter or delete some evidence that could be useful for forensic analysis and investigation. Furthermore, connecting to the access point and examining its log files may not prevent or stop the rogue access point from continuing to harm the network 5.

  Option C is not the best action to take first, as identifying who is connected to the access point and attempting to find the attacker may not protect the network or preserve evidence. Identifying who is connected to the access point may require additional tools or techniques, such as scanning for wireless devices or analyzing network traffic, which could take time and resources away from responding and mitigating the incident. Attempting to find the attacker may also be difficult or impossible, as the attacker may use various methods to hide their identity or location, such as encryption, spoofing, or proxy servers. Moreover, identifying who is connected to the access point and attempting to find the attacker may not prevent or stop the rogue access point from causing further damage or compromise to the network 5.

  References:

  1 CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives 2 Cybersecurity Analyst+ - CompTIA

  3 CompTIA CySA+ CS0-002 Certification Study Guide

  4 CertMaster Learn for CySA+ Training - CompTIA 5 How to Protect Against Rogue Access Points on Wi-Fi - Byos 6 Wireless Access Point Protection: 5 Steps to Find Rogue Wi-Fi Networks ...

  7 Rogue Access Point - Techopedia

  8 Rogue access point - Wikipedia

  9 What is a Rogue Access Point (Rogue AP)? - Contextual Security

• Question 537:

  The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals.

  Which of the following will best achieve the goal and maximize results?

  A. Single pane of glass
  B. Single sign-on
  C. Data enrichment
  D. Deduplication
  A. Single pane of glass

• Question 538:

  An analyst reviews the following web server log entries:

  %2E%2E/%2E%2E/%2ES2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd No attacks or malicious attempts have been discovered.

  Which of the following most likely describes what took place?

  A. A SQL injection query took place to gather information from a sensitive file.
  B. A PHP injection was leveraged to ensure that the sensitive file could be accessed.
  C. Base64 was used to prevent the IPS from detecting the fully encoded string.
  D. Directory traversal was performed to obtain a sensitive file for further reconnaissance.
  D. Directory traversal was performed to obtain a sensitive file for further reconnaissance.

  ---

  Explanation

  Comprehensive and Detailed Step-by-Step Explanation:Directory traversal, also known as path traversal, is an attack that allows attackers to access restricted directories and execute commands outside the web server's root directory. The % 2E encoding corresponds to a dot (.) in ASCII, and %2E%2E resolves to ../. The log entries indicate attempts to navigate directories upward to access sensitive files like /etc/passwd. Since no malicious activity was flagged, it is inferred this was either an unsuccessful or reconnaissance attempt.

  References:

  CompTIA CySA+ Study Guide (Chapter 3: Malicious Activity, Page 79) CompTIA CySA+ Objectives (Domain 1.2 - Indicators of Potentially Malicious Activity)

• Question 539:

  The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

  

  Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

  A. Vulnerability A
  B. Vulnerability B
  C. Vulnerability C
  D. Vulnerability D
  A. Vulnerability A

  ---

  Explanation

• Question 540:

  An IDS is triggered during after-hours operations. The indicator records an abnormal amount of SYN requests being sent to port 21 from numerous external systems. A security analyst reports this information to the IR team for further investigation.

  Which of the following best describes this incident?

  A. A sniff attack through the DNS port
  B. A buffer overflow attack through the Telnet port
  C. A reconnaissance attack through the SSH port
  D. A DDoS attack through the FTP port
  D. A DDoS attack through the FTP port